Sounds good
On 3 November 2015 at 12:24, Marek Posolda <mposolda(a)redhat.com> wrote:
I have a prototype in progress, which I am going to present on
Thursday
call. It's based on authentication SPI, so it's quite flexible .
Current default behaviour is, when it detects duplicated email, it
displays the page with "Duplication detected. What do you want to do?" Then
user can:
- Go back and edit the profile. So user is not required to link provider
as long as he provides different unique email
- Link the provider. At this point, he need either to reauthenticate by
different way (password+otp or already linked identity provider) or confirm
the linking via email
Marek
On 03/11/15 09:31, Stian Thorgersen wrote:
Would be even simpler for users if we just removed authentication
completely and only had the username on the login form - we could just add
a statement "only use your own username, we trust you to not try to login
as someone else" ;)
Seriously though - social accounts are hacked all the time and allowing
this auto linking of accounts without requiring users to authenticate to
the existing account is just plain scary.
The solution to the use case you've given is not login with another social
provider, it's having good account recovery options in place.
On 30 October 2015 at 14:57, Bill Burke <bburke(a)redhat.com> wrote:
> There's an alternative problem. Logs in with Twitter in 2005. Logs in
> again 2015 with Google. Is required to link with Twitter, says "screw it"
> because he doesn't remember his Twitter password and just closes his
> browser and doesn't use the website.
>
> I've been on really popular high-traffic sites where their google login
> was broken for months (
mmqb.si.com which is an NFL website for Sports
> Illustrated). I used my Facebook identity instead. If I had been required
> to merge accounts manually, I would have not been able to use the site.
>
> On 10/29/2015 4:35 PM, Stian Thorgersen wrote:
>
>> Linking accounts automatically is fine, but we should not have an option
>> that can do that without requiring users to authenticate first.
>>
>> There are so many cases where a user could have one social account
>> compromised. They may not care that much about the account, they may
>> never use the service so they've completely forgotten about it.
>>
>> Imagine the following scenario:
>>
>> * Tom signed up for GMail in 2005 - figured it was great and continued
>> using the service the rest of his life
>> * Tom signed up for Twitter in 2005 - figured it was not to his taste
>> and never used the account again
>> * Tom now read about two factor auth and configured it on his GMail
>> account
>> * Mary (a bad person) figured that the password to Toms twitter account
>> was 'password' so she's gained access to Tom's Twitter - Tom
doesn't
>> know, but he doesn't care either
>> * Tom signs up for a website that uses Keycloak and logs in with his
>> trusted GMail account
>> * Now if we let Mary login to the website that uses Keycloak with Toms
>> old Twitter account, without first proving she's Tom (which she can't),
>> would be just plain daft!
>>
>> On 29 October 2015 at 06:37, Bill Burke < <bburke(a)redhat.com>
>> bburke(a)redhat.com
>> <mailto:bburke@redhat.com>> wrote:
>>
>>
>>
>> On 10/29/2015 5:42 AM, Vlastimil Elias wrote:
>> >
>> >
>> > On 28.10.2015 21:32, Bill Burke wrote:
>> >> If a user has loads of social networks and links a bunch of them,
>> if
>> >> *any one* of them is compromised the entire account is
>> compromised.
>> >> Most sites using social login, the only reason is there is a
>> login is
>> >> for the appliation to collect marketing data. So, the default
>> behavior
>> >> should make things as simple as possible for the user.
>> >>
>> >> At a minimum, by default, the user should not be required to link
>> an
>> >> account if there is a conflicting duplicate email given by the
>> provider.
>> >> I have
founddeveloeprs.redhat.com <
>>
http://develoeprs.redhat.com> very difficult
>> to use.
>> >
>> > yep, it is difficult to use because it have to follow company's
>> policy
>> > with unique emails and Keycloak do not provide necessary support
>> for
>> > simple and user friendly account linking currently ;-)
>> >
>>
>> Yeah, its not your fault. Its ours.
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
>
_______________________________________________
keycloak-dev mailing listkeycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev