----- Original Message -----
From: "Pedro Igor Silva" <psilva(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Tuesday, 6 January, 2015 2:14:21 PM
Subject: Re: [keycloak-dev] Email constraint violation when updating profile
----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: "Pedro Igor Silva" <psilva(a)redhat.com>
> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> Sent: Tuesday, January 6, 2015 9:53:56 AM
> Subject: Re: [keycloak-dev] Email constraint violation when updating
> profile
>
> This is a corner case and we can safely ignore it until someone complains
> about it. There are also already ways to work around it:
>
> 1) User logs into account console, removes the social/broker link, logs in
> to
> the other account and adds the social link
> 2) User talks to admin, admin deletes one account (or removes social/broker
> link), then user can link to existing account
>
> When we implemented linking of accounts in the first place me and Marek
> discussed this issue over and over. Whichever solution we came up with had
> issues, both technical and usability issues. So end of the day we decided
> that as there's a work around to it, and that it won't be a very common
> problem, we could safely ignore it.
Not sure if you can safely ignore it. Users will get an ugly error on their
browser, instead of a proper error message. If you just check for a
duplicate email in
org.keycloak.services.resources.LoginActionsService#updateProfile, that
would be enough to avoid the error. And this is should be very simple.
Agree it should be a proper error message. I didn't get that was the problem. It
shouldn't check for duplicate email though, it should rely on db constraints as
otherwise you can't guarantee it doesn't exist, but still an easy fix. Can you
create a separate JIRA issue for it with and we'll fix for 1.1.0.Final?
>
> With regards to the proposed solution, that was one we visited, but it has
> several issues. Creating the user after doesn't work as we need to have
> somewhere to store the information and it would also add more complexity to
> required actions. Also, it doesn't work if update profile is not required
> on
> first login or if email is not required. In either of those cases you end
> up
> with at some point in the future the user may try to update the account
> with
> their email and get the same problem.
Not really, the validation above should be enough.
Still not convinced :) I understand the technical blockers, but they should
not be blockers to offer a better usability.
From a business perspective, the workflow is wrong. You can not store the
user before getting the input from the user when update profile is enabled.
That is what you see around the web and what KC does partially.
You can argue which workflow is better, but both are perfectly valid. There's nothing
wrong with storing the user before update profile. If there's a update profile
required action associated with the account the user is not able to use the account until
the profile has been updated. Absolutely nothing wrong with the current flow, other than
the potential of the user wanting to set an email address that already exists, which there
are many other much simpler solutions to than what you are proposing. End of the day
you'll provide the same error message to the user, so from a usability perspective
there's no difference whether or not the it's stored in the db or not.
>
> ----- Original Message -----
> > From: "Pedro Igor Silva" <psilva(a)redhat.com>
> > To: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> > Sent: Tuesday, 6 January, 2015 12:33:30 PM
> > Subject: [keycloak-dev] Email constraint violation when updating profile
> >
> > Hi,
> >
> > Would like to know your thoughts on KEYCLOAK-924 [1].
> >
> > Looks like there is an issue with the "Update Profile" workflow
that
> > also
> > impacts social authentication and account linking.
> >
> > Regards.
> > Pedro Igor
> >
> > [1]
https://issues.jboss.org/browse/KEYCLOAK-924
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>