7:50 p.m.
I'd just like to say that KeyCloak looks like a great project. It will be nice not to
have to reinvent the account management wheel every time you write an app.
I have a couple of questions about KeyCloak:
1. After playing with the demo it looks like first time social logins require a local user
account to be created. Is this a fixed requirement, or is it possible for people to log in
from Google/Twitter/Facebook without a local user account? Or at least with a local
account that has no password? I ask because ideally we would like to never deal with any
user passwords whatsoever, and defer all password management to external services.
2. Do you expect the LDAP or AD support to work like a social login i.e. will users with
local network accounts be required to create a KeyCloak user account in addition to their
network account?
3. Is it possible to associate multiple social logins with a single account? Something
like what Stack Exchange does where you can add a Google and a Facebook account to your
existing SE account.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Red Hat Engineering Content Services
Brisbane, Australia
8:02 p.m.
Ok, just came across
https://github.com/keycloak/keycloak/wiki/Registration-Authentication-wit...
which answers some of these questions.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Engineering Content Services
Brisbane, Australia
----- Original Message -----
From: "Matt Casperson" <mcaspers(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 6 December, 2013 11:50:42 AM
Subject: [keycloak-dev] Can KeyCloack be used without any passwords?
I'd just like to say that KeyCloak looks like a great project. It will be nice not to
have to reinvent the account management wheel every time you write an app.
I have a couple of questions about KeyCloak:
1. After playing with the demo it looks like first time social logins require a local user
account to be created. Is this a fixed requirement, or is it possible for people to log in
from Google/Twitter/Facebook without a local user account? Or at least with a local
account that has no password? I ask because ideally we would like to never deal with any
user passwords whatsoever, and defer all password management to external services.
2. Do you expect the LDAP or AD support to work like a social login i.e. will users with
local network accounts be required to create a KeyCloak user account in addition to their
network account?
3. Is it possible to associate multiple social logins with a single account? Something
like what Stack Exchange does where you can add a Google and a Facebook account to your
existing SE account.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Red Hat Engineering Content Services
Brisbane, Australia
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:38 a.m.
Thanks for your feedback. The social integration is not complete yet, but we plan to add
support for more networks and the ability to link multiple social logins with the same
account soon.
Yes, when a user first logs in with a social login we create an account. It doesn't
have a password set, so by default the user can only login with the social login. The user
can set a password if the user wants through the account management. Also, there's an
option to require users to review their profile on first login with social login. For
example Twitter doesn't provide email address, so if you require emails for user you
can use this option to make sure all users will provide one.
Made me think that someone may want to only allow social logins and completely disable
password logins. We could provide an option to enable this, which would mean that on the
login form only the social logins would be shown, and in the account management the reset
password option wouldn't be displayed. Is that something you're interested in?
With regards to LDAP/AD we haven't decided exactly how that'll work, but the
current thinking is that we'll sync users to/from an LDAP/AD server into the Keycloak
store. This will be fully automated and run in the background to provide a more or less
consistent view between LDAP/AD and Keycloak.
----- Original Message -----
From: "Matt Casperson" <mcaspers(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 6 December, 2013 1:50:42 AM
Subject: [keycloak-dev] Can KeyCloack be used without any passwords?
I'd just like to say that KeyCloak looks like a great project. It will be
nice not to have to reinvent the account management wheel every time you
write an app.
I have a couple of questions about KeyCloak:
1. After playing with the demo it looks like first time social logins require
a local user account to be created. Is this a fixed requirement, or is it
possible for people to log in from Google/Twitter/Facebook without a local
user account? Or at least with a local account that has no password? I ask
because ideally we would like to never deal with any user passwords
whatsoever, and defer all password management to external services.
2. Do you expect the LDAP or AD support to work like a social login i.e. will
users with local network accounts be required to create a KeyCloak user
account in addition to their network account?
3. Is it possible to associate multiple social logins with a single account?
Something like what Stack Exchange does where you can add a Google and a
Facebook account to your existing SE account.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Red Hat Engineering Content Services
Brisbane, Australia
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:45 a.m.
Created a JIRA for social-only login:
https://issues.jboss.org/browse/KEYCLOAK-211
On 12/6/2013 4:38 AM, Stian Thorgersen wrote:
Thanks for your feedback. The social integration is not complete yet,
but we plan to add support for more networks and the ability to link multiple social
logins with the same account soon.
Yes, when a user first logs in with a social login we create an account. It doesn't
have a password set, so by default the user can only login with the social login. The user
can set a password if the user wants through the account management. Also, there's an
option to require users to review their profile on first login with social login. For
example Twitter doesn't provide email address, so if you require emails for user you
can use this option to make sure all users will provide one.
Made me think that someone may want to only allow social logins and completely disable
password logins. We could provide an option to enable this, which would mean that on the
login form only the social logins would be shown, and in the account management the reset
password option wouldn't be displayed. Is that something you're interested in?
With regards to LDAP/AD we haven't decided exactly how that'll work, but the
current thinking is that we'll sync users to/from an LDAP/AD server into the Keycloak
store. This will be fully automated and run in the background to provide a more or less
consistent view between LDAP/AD and Keycloak.
----- Original Message -----
> From: "Matt Casperson" <mcaspers(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 6 December, 2013 1:50:42 AM
> Subject: [keycloak-dev] Can KeyCloack be used without any passwords?
>
> I'd just like to say that KeyCloak looks like a great project. It will be
> nice not to have to reinvent the account management wheel every time you
> write an app.
>
> I have a couple of questions about KeyCloak:
>
> 1. After playing with the demo it looks like first time social logins require
> a local user account to be created. Is this a fixed requirement, or is it
> possible for people to log in from Google/Twitter/Facebook without a local
> user account? Or at least with a local account that has no password? I ask
> because ideally we would like to never deal with any user passwords
> whatsoever, and defer all password management to external services.
>
> 2. Do you expect the LDAP or AD support to work like a social login i.e. will
> users with local network accounts be required to create a KeyCloak user
> account in addition to their network account?
>
> 3. Is it possible to associate multiple social logins with a single account?
> Something like what Stack Exchange does where you can add a Google and a
> Facebook account to your existing SE account.
>
> Regards
>
> Matthew Casperson
> RHCE, RHCJA # 111-072-237
> Red Hat Engineering Content Services
> Brisbane, Australia
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:35 p.m.
Made me think that someone may want to only allow social logins and
completely disable password logins. We could provide an option to enable this, which would
mean that on the login form only the social logins would be shown, and in the account
management the reset password option wouldn't be displayed. Is that something
you're interested in?
Most definitely. One of the goals we have is to eliminate the need for "yet another
password", and disabling the ability to login via a site specific account goes a long
way to eliminating that.
For internal deployments there is no need for a local account, as there is always going to
be a central user database to defer to. Which in turns gives us an administration team to
deal with account management, a HR team to deal with incoming and outgoing employees, and
a security team to deal with password policies.
Out in public I think acceptance of social logins has reached a point where local accounts
are now an inconvenience rather than a preference. And you benefit from all the hard work
that that companies like Google have done with 2 factor authentication and account
switching. These are all features that a small dev team would never have time to implement
themselves.
It also means we never have to be responsible for maintaining a password database. Every
day it seems like there is news of another couple of million passwords stolen, with a high
percentage subsequently decrypted, and a high percentage of those found to be shared with
multiple other services. Simply not storing any user passwords is a good way to ensure you
never have to send out a bulk "please change all your passwords" email.
If KeyCloak could give us the ability to defer account and password management entirely to
social logins or an existing LDAP/AD database with something as simple as a toggle in the
admin console, it would be a huge win.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Engineering Content Services
Brisbane, Australia
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Matt Casperson" <mcaspers(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 6 December, 2013 7:38:48 PM
Subject: Re: [keycloak-dev] Can KeyCloack be used without any passwords?
Thanks for your feedback. The social integration is not complete yet, but we plan to add
support for more networks and the ability to link multiple social logins with the same
account soon.
Yes, when a user first logs in with a social login we create an account. It doesn't
have a password set, so by default the user can only login with the social login. The user
can set a password if the user wants through the account management. Also, there's an
option to require users to review their profile on first login with social login. For
example Twitter doesn't provide email address, so if you require emails for user you
can use this option to make sure all users will provide one.
Made me think that someone may want to only allow social logins and completely disable
password logins. We could provide an option to enable this, which would mean that on the
login form only the social logins would be shown, and in the account management the reset
password option wouldn't be displayed. Is that something you're interested in?
With regards to LDAP/AD we haven't decided exactly how that'll work, but the
current thinking is that we'll sync users to/from an LDAP/AD server into the Keycloak
store. This will be fully automated and run in the background to provide a more or less
consistent view between LDAP/AD and Keycloak.
----- Original Message -----
From: "Matt Casperson" <mcaspers(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 6 December, 2013 1:50:42 AM
Subject: [keycloak-dev] Can KeyCloack be used without any passwords?
I'd just like to say that KeyCloak looks like a great project. It will be
nice not to have to reinvent the account management wheel every time you
write an app.
I have a couple of questions about KeyCloak:
1. After playing with the demo it looks like first time social logins require
a local user account to be created. Is this a fixed requirement, or is it
possible for people to log in from Google/Twitter/Facebook without a local
user account? Or at least with a local account that has no password? I ask
because ideally we would like to never deal with any user passwords
whatsoever, and defer all password management to external services.
2. Do you expect the LDAP or AD support to work like a social login i.e. will
users with local network accounts be required to create a KeyCloak user
account in addition to their network account?
3. Is it possible to associate multiple social logins with a single account?
Something like what Stack Exchange does where you can add a Google and a
Facebook account to your existing SE account.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Red Hat Engineering Content Services
Brisbane, Australia
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:54 p.m.
On 12/6/2013 4:35 PM, Matt Casperson wrote:
If KeyCloak could give us the ability to defer account and password
management entirely to social logins or an existing LDAP/AD database
with something as simple as a toggle in the admin console, it would be a
huge win.
Keycloak aims to be an SSO solution, not an SSO adapter.
For non-social deployments, account management is a huge part of what
Keycloak does. Maybe I'm naive in thinking admins will want to use
Keycloak to management accounts though.
Even for social deployments, there's a lot of account management
involved, i.e. managing oauth grants, registering devices, all things we
want to be able to do.
What is stored in LDAP/AD databases usually? user/password/credentials
only? What about permissions/role mappings? Is doing a background sync
to an LDAP/AD database not something people are going to want to do?
Syncing means credentials are copied.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:20 p.m.
I certainly don't mean to downplay the value of being able to manage accounts. Being
able to assign custom roles that are not reflected in LDAP/AD is going to be important,
and necessary for social logins. And even though we would prefer not deal with local
passwords, being able to support that feature with a toggle in a UI is a selling point.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Engineering Content Services
Brisbane, Australia
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Saturday, 7 December, 2013 8:54:21 AM
Subject: Re: [keycloak-dev] Can KeyCloack be used without any passwords?
On 12/6/2013 4:35 PM, Matt Casperson wrote:
If KeyCloak could give us the ability to defer account and password
management entirely to social logins or an existing LDAP/AD database
with something as simple as a toggle in the admin console, it would be a
huge win.
Keycloak aims to be an SSO solution, not an SSO adapter.
For non-social deployments, account management is a huge part of what
Keycloak does. Maybe I'm naive in thinking admins will want to use
Keycloak to management accounts though.
Even for social deployments, there's a lot of account management
involved, i.e. managing oauth grants, registering devices, all things we
want to be able to do.
What is stored in LDAP/AD databases usually? user/password/credentials
only? What about permissions/role mappings? Is doing a background sync
to an LDAP/AD database not something people are going to want to do?
Syncing means credentials are copied.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
12:29 p.m.
I just realized why there may have been some confusion on the social login and creation of
users.
Showing the registration form on first social login is optional, but the option to disable
has disappeared from the admin console. I've just committed a fix for this.
----- Original Message -----
From: "Matt Casperson" <mcaspers(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Saturday, 7 December, 2013 8:20:51 PM
Subject: Re: [keycloak-dev] Can KeyCloack be used without any passwords?
I certainly don't mean to downplay the value of being able to manage
accounts. Being able to assign custom roles that are not reflected in
LDAP/AD is going to be important, and necessary for social logins. And even
though we would prefer not deal with local passwords, being able to support
that feature with a toggle in a UI is a selling point.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Engineering Content Services
Brisbane, Australia
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Saturday, 7 December, 2013 8:54:21 AM
Subject: Re: [keycloak-dev] Can KeyCloack be used without any passwords?
On 12/6/2013 4:35 PM, Matt Casperson wrote:
> If KeyCloak could give us the ability to defer account and password
> management entirely to social logins or an existing LDAP/AD database
> with something as simple as a toggle in the admin console, it would be a
> huge win.
>
Keycloak aims to be an SSO solution, not an SSO adapter.
For non-social deployments, account management is a huge part of what
Keycloak does. Maybe I'm naive in thinking admins will want to use
Keycloak to management accounts though.
Even for social deployments, there's a lot of account management
involved, i.e. managing oauth grants, registering devices, all things we
want to be able to do.
What is stored in LDAP/AD databases usually? user/password/credentials
only? What about permissions/role mappings? Is doing a background sync
to an LDAP/AD database not something people are going to want to do?
Syncing means credentials are copied.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:10 p.m.
To keep the alignment between the label and the element at its right, labels that occupy
two lines must have the class="two-lines" ;)
On Dec 11, 2013, at 4:29 PM, Stian Thorgersen wrote:
I just realized why there may have been some confusion on the social
login and creation of users.
Showing the registration form on first social login is optional, but the option to
disable has disappeared from the admin console. I've just committed a fix for this.
----- Original Message -----
> From: "Matt Casperson" <mcaspers(a)redhat.com>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Saturday, 7 December, 2013 8:20:51 PM
> Subject: Re: [keycloak-dev] Can KeyCloack be used without any passwords?
>
> I certainly don't mean to downplay the value of being able to manage
> accounts. Being able to assign custom roles that are not reflected in
> LDAP/AD is going to be important, and necessary for social logins. And even
> though we would prefer not deal with local passwords, being able to support
> that feature with a toggle in a UI is a selling point.
>
> Regards
>
> Matthew Casperson
> RHCE, RHCJA # 111-072-237
> Engineering Content Services
> Brisbane, Australia
>
>
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Saturday, 7 December, 2013 8:54:21 AM
> Subject: Re: [keycloak-dev] Can KeyCloack be used without any passwords?
>
> On 12/6/2013 4:35 PM, Matt Casperson wrote:
>> If KeyCloak could give us the ability to defer account and password
>> management entirely to social logins or an existing LDAP/AD database
>> with something as simple as a toggle in the admin console, it would be a
>> huge win.
>>
>
> Keycloak aims to be an SSO solution, not an SSO adapter.
>
> For non-social deployments, account management is a huge part of what
> Keycloak does. Maybe I'm naive in thinking admins will want to use
> Keycloak to management accounts though.
>
> Even for social deployments, there's a lot of account management
> involved, i.e. managing oauth grants, registering devices, all things we
> want to be able to do.
>
>
> What is stored in LDAP/AD databases usually? user/password/credentials
> only? What about permissions/role mappings? Is doing a background sync
> to an LDAP/AD database not something people are going to want to do?
> Syncing means credentials are copied.
>
> Bill
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Gabriel Cardoso
GateIn Portal | User Experience Designer
4051
days inactive
4056
days old
8 comments
4 participants
participants (4)
-
Bill Burke -
Gabriel Cardoso -
Matt Casperson -
Stian Thorgersen