----- Original Message -----
From: "Vlastimil Elias" <velias(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 11 March, 2015 10:45:06 AM
Subject: [keycloak-dev] Improvements of registration over Social Login providers
Hi great Keycloak dev team,
during implementation of
https://issues.jboss.org/browse/KEYCLOAK-1074 I
found few things which should be improved in area of registration over
Social Login providers.
I'd like to discuss them here before creating JIRAs. I believe I should
implement these changes if you will be interested.
1. It is not possible to disable registration over Social provider
======================================
Once provider is created then it is always possible to register over it, even
if "User registration" is disabled in realm "Login Settings". I think
it
should be possible to disable social registrations and allow only to link
social logins to existing accounts (eg. loaded from other system).
Marek Posolda pointed me to
https://issues.jboss.org/browse/KEYCLOAK-1036
which is rejected without any comment. I understand that this global setting
is probably not a good solution, so my proposal is to add independent "User
registration" switch into configuration of each Identity provider, so admin
will get fine grained control.
-1
IMO when you add a identity broker (or social provider) you are allowing all those users
to login. When a user logs in the first time using a identity broker we're not really
registering the user, just creating an internal representation.
2. Username from Social provider is used as Keycloak username during
registration
===================================================
This can lead to the situation that user registering eg. over Twitter will
not be able to register as other user eg. from Facebook will use same
username there and occupy it in Keycloak as first.
My proposal is to extend configuration of each Identity provider by new
option "Username type" which will be select from these options:
* provided username exact - works as now, username is got from provider,
user can't register if occupied in KC already
* provided username unique - KC will take username from provider, if
occupied then it adds some random number to it to create unique username
and allow user to register
* provided email - this is related to KEYCLOAK-1074, I need this option
for my project. I know that email is not provided by some providers (eg
Twitter) so I can't use them until KEYCLOAK-1053 is resolved somehow
So let me know what you think about my proposals, can I implement them?
-1
If it's using the username from the identity provider that's not correct, it
should just be set to something unique (could be set to same as user id), that's how
it used to be before the identity brokering was introduced.
We have an open issue to allow users to change their username. This would then be used by
a user that wants to enable regular logins in the above scenario. We could improve the
account management around this, for example it should not display username if it's the
same as user id, but have an option for a user to "enable regular login" by
providing a username and password.
Cheers
Vlastimil
--
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev