[keycloak-dev] Associate social account with IDM user
Matt Wringe
mwringe at redhat.com
Tue Aug 13 11:38:20 EDT 2013
On 13/08/13 11:18 AM, Marek Posolda wrote:
> On 13.8.2013 16:56, Matt Wringe wrote:
>> On 13/08/13 07:43 AM, Marek Posolda wrote:
>>> Hi,
>>>
>>> Here is Marek Posolda from GateIn/JPP software engineering :-)
>>>
>>> Picketlink IDM is quite flexible and I think that there are more
>>> possibilities how to map it. What I am thinking about could be:
>>>
>>> 1) Map the attributes related to all social providers directly as part
>>> of User itself. UserAdapter object (and also user representation in
>>> Picketlink) has support for dynamic attributes via method
>>> setAttribute/getAttribute . So it should be possible to use attributes
>>> with any name and just prefix them for given social network (For
>>> example: attribute "social.facebook.username" could be used for saving
>>> of Facebook username, attribute "social.google.username" for saving of
>>> google username or email)
>>
>> You should also probably consider that people can have multiple
>> accounts for each type. I don't have just one google account, I have
>> 3 (and 2 of them don't end in .google.com).
> The question is if keycloak should support the scenario (Single user
> account mapped to more social accounts of same provider). I don't
> think it's common setup. Anyway, option 2 (Realm adapter) should
> easily handle this and is probably better.
>>
>> Its also common for people to use the same email address for multiple
>> social accounts. It may be neat to automatically ask the user to link
>> accounts if we notice they have logged in using one social network
>> and we already have a user with the same email address registered
>> (and of course perform the required security checks before doing the
>> account merge).
> yeah. The thing is that properly supporting this is not so easy as you
> really need to perform additional security checks. In case that email
> address is not verified by social provider, we have a security hole.
See "and of course perform the required security checks before doing the
account merge" in my original message. It would just be a reminder to
the user that they may already have an account on keycloak and they can
merge the accounts if they want. They would of course have to authorize
it by also logging into the existing account.
> So it's not sufficient to simply rely on the email address IMO. And
> additionally some social providers (I am aware at least of Twitter)
> don't share email address. So it needs to be wired differently in this
> case,
>
> The use-case with link social account of user, who is already
> registered and logged in keycloak, seems to be much easier and it also
> allows that same user can have more registered social providers with
> same email address.
>
> Marek
>>
>>
>>>
>>> 2) Create another Relationship adapter object and store the
>>> informations
>>> as relationship between User and Social provider. Picketlink supports
>>> attributes to be part of any Relationship, so it should be possible to
>>> achieve this.
>>>
>>> Another thing is, how to wire some social provider with existing User
>>> accounts in UI. Actually the Social links are available just on
>>> registration page, which is for anonymous user.
>>>
>>> Marek
>>>
>>> On 13.8.2013 12:43, Stian Thorgersen wrote:
>>>> We need to be able to associate multiple social providers with an
>>>> IDM user. At the moment this is not based on the username of the
>>>> account (for example google.23897892sdf). This has to main drawbacks:
>>>>
>>>> * Horrible username
>>>> * Can only associate a single social account with an IDM user
>>>>
>>>> What is the best way to store this information? We mainly need to
>>>> store what social providers a user has linked and the social
>>>> userid. In the future we may also want to associate access tokens
>>>> as well. We also need to lookup a user based on the social provider
>>>> + social userid.
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
More information about the keycloak-dev
mailing list