[keycloak-dev] Can KeyCloack be used without any passwords?
Matt Casperson
mcaspers at redhat.com
Fri Dec 6 16:35:09 EST 2013
>Made me think that someone may want to only allow social logins and completely disable password logins. We could provide an option to enable this, which would mean that on the login form only the social logins would be shown, and in the account management the reset password option wouldn't be displayed. Is that something you're interested in?
Most definitely. One of the goals we have is to eliminate the need for "yet another password", and disabling the ability to login via a site specific account goes a long way to eliminating that.
For internal deployments there is no need for a local account, as there is always going to be a central user database to defer to. Which in turns gives us an administration team to deal with account management, a HR team to deal with incoming and outgoing employees, and a security team to deal with password policies.
Out in public I think acceptance of social logins has reached a point where local accounts are now an inconvenience rather than a preference. And you benefit from all the hard work that that companies like Google have done with 2 factor authentication and account switching. These are all features that a small dev team would never have time to implement themselves.
It also means we never have to be responsible for maintaining a password database. Every day it seems like there is news of another couple of million passwords stolen, with a high percentage subsequently decrypted, and a high percentage of those found to be shared with multiple other services. Simply not storing any user passwords is a good way to ensure you never have to send out a bulk "please change all your passwords" email.
If KeyCloak could give us the ability to defer account and password management entirely to social logins or an existing LDAP/AD database with something as simple as a toggle in the admin console, it would be a huge win.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Engineering Content Services
Brisbane, Australia
----- Original Message -----
From: "Stian Thorgersen" <stian at redhat.com>
To: "Matt Casperson" <mcaspers at redhat.com>
Cc: keycloak-dev at lists.jboss.org
Sent: Friday, 6 December, 2013 7:38:48 PM
Subject: Re: [keycloak-dev] Can KeyCloack be used without any passwords?
Thanks for your feedback. The social integration is not complete yet, but we plan to add support for more networks and the ability to link multiple social logins with the same account soon.
Yes, when a user first logs in with a social login we create an account. It doesn't have a password set, so by default the user can only login with the social login. The user can set a password if the user wants through the account management. Also, there's an option to require users to review their profile on first login with social login. For example Twitter doesn't provide email address, so if you require emails for user you can use this option to make sure all users will provide one.
Made me think that someone may want to only allow social logins and completely disable password logins. We could provide an option to enable this, which would mean that on the login form only the social logins would be shown, and in the account management the reset password option wouldn't be displayed. Is that something you're interested in?
With regards to LDAP/AD we haven't decided exactly how that'll work, but the current thinking is that we'll sync users to/from an LDAP/AD server into the Keycloak store. This will be fully automated and run in the background to provide a more or less consistent view between LDAP/AD and Keycloak.
----- Original Message -----
> From: "Matt Casperson" <mcaspers at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 6 December, 2013 1:50:42 AM
> Subject: [keycloak-dev] Can KeyCloack be used without any passwords?
>
> I'd just like to say that KeyCloak looks like a great project. It will be
> nice not to have to reinvent the account management wheel every time you
> write an app.
>
> I have a couple of questions about KeyCloak:
>
> 1. After playing with the demo it looks like first time social logins require
> a local user account to be created. Is this a fixed requirement, or is it
> possible for people to log in from Google/Twitter/Facebook without a local
> user account? Or at least with a local account that has no password? I ask
> because ideally we would like to never deal with any user passwords
> whatsoever, and defer all password management to external services.
>
> 2. Do you expect the LDAP or AD support to work like a social login i.e. will
> users with local network accounts be required to create a KeyCloak user
> account in addition to their network account?
>
> 3. Is it possible to associate multiple social logins with a single account?
> Something like what Stack Exchange does where you can add a Google and a
> Facebook account to your existing SE account.
>
> Regards
>
> Matthew Casperson
> RHCE, RHCJA # 111-072-237
> Red Hat Engineering Content Services
> Brisbane, Australia
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20131206/11ae1df5/attachment.html
More information about the keycloak-dev
mailing list