Hi
On 1.6.2015 14:17, Bill Burke wrote:
On 6/1/2015 8:03 AM, Vlastimil Elias wrote:
> Hi,
>
> we just advanced to UAT phase of our project where we use Keycloak 1.2.0
> final for user management, and we got feedback from testers.
> They proposed few improvements related to "Social registration" flows
> over OAuth identity providers (github, google, ...).
>
> 1. Perform "Update Profile on First Login" only if some of mandatory
> user profile fields is missing
> Current "Update Profile on First Login" setting in "Identity
provider"
> configuration is on/off switch only. But response from some identity
> providers (like Github, Facebook) differs for distinct users, email is
> returned sometimes and sometimes not. We would like to show "Update
> Profile" page on first login only for users without email address
> (generalized a bit means without some of mandatory user profile info,
> which is currently email, name and surname) to simplify user flow for
> other users.
>
> Best implementation is probably to change "Update Profile on First
> Login" option in "Identity provider" configuration from On/Off switch
to
> a select with three values:
> "On", "On missing only", "Off".
>
>
> 2. Do not perform email verification if email is provided by trusted
> Identity provider
> If "Verify email" option is enabled in Settings > Login, then it is
> applied to all KC users accounts, both created over registration form
> and as result of social login.
> We would like to simplify user flow for users who registered over social
> provider where we can trust email (like google) and skip this step in
> this case.
>
> I see two ways for configuration on per "Identity provider" basis: add
> new "Trust email" configuration option into "Identity provider"
config
> page, or add special Mapper for providers called "Trust email" which
> will mark email as verified if provided by given identity provider.
>
> 3. Allow to map other informations provided by OAuth Identity providers
> into Keycloak user profile attributes
> Identity provider configuration contains "Mappers" configuration
> already, but only "Hardcoded role" mapper is available here for OAuth
> providers.
> We should add something like "Attribute Importer" already available for
> SAML providers.
>
You really mean mappers are needed for social providers. Their token
formats are all different. This is why we don't have mappers for them.
User profile returned from social provider is typically flat JSON object
(eg for github
https://developer.github.com/v3/users/#get-a-single-user), so we can
create universal mapper where one configuration property will say name
of field in the JSON object and second one will say name of attribute in
KC user profile to copy value into.
We should also implement some simple dot notation to be able to deeper
nest in JSON object returned from social provider if necessary.
I looked into all current providers and they use JsonNode to represent
profile loaded from social providers, so it should be easy to implement
mapper based on field names.
Only exception is Twitter provider which uses twitter4j library, but it
should be solvable also.
Vl.
> 4. allow to extend "Update Profile on First Login" page with other
> fields stored into user profile attributes
> My colleague created an issue for this already -
>
https://issues.jboss.org/browse/KEYCLOAK-1361
>
>
> 5. Link social account into KC user account if email conflict is
> detected and user authenticated afterwards
> When user clicks Social login provider on login page, and social
> provider returns email which already exists for other KC user, then
> login page is shown with error message like "User with email already
> exists. Please login to account management to link the account.". This
> is really not very user friendly, as user is returned to original
> page/application after login and it may be a bit complicated for him to
> go into account management page and link account there.
> I believe that once user provides correct username and password on this
> login page then social account should be automatically linked to KC
> account user just authenticated to. Then user should be redirected to
> originating application. If this "social account autolink" should be
> able to survive "Forgot password" flow then even better ;-)
>
I like the auto-link after login. All good suggestions.
--
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team