[keycloak-dev] Linking social accounts
Marek Posolda
mposolda at redhat.com
Mon Mar 10 06:02:27 EDT 2014
I've sent PR https://github.com/keycloak/keycloak/pull/275 for
linking/unlinking social accounts into already existing Keycloak user
account.
I've created another JIRA https://issues.jboss.org/browse/KEYCLOAK-354,
which will allow that administrator will be able to see, which social
networks are connected for user 'john'. We discussed with Stian that
read-only possibility for admin is probably sufficient (ie. admin can
just review that john is linked to Facebook and Google, but he doesn't
have possibility to remove this linking or add new linking of this user
to other social networks).
There is also this bug https://issues.jboss.org/browse/KEYCLOAK-334,
which means that users registered through social can't change their
passwords because changing password requires filling already existing
password and user 'john' doesn't have existing password when he
registered himself through Facebook... It seems that for user without
password, there should be possibility to skip the need to fill existing
password. Maybe there should be new model method like:
boolean RealmModel hasPassword(UserModel user);
or even more flexible:
boolean RealmModel hasCredential(UserModel user,String credentialType);
Not sure if this is sufficient though, because users registered through social won't need to fill existing passwords, which could mean that someone can hijack their session as Stian pointed.
So I was also thinking if we can require that users will need to fill
their password if they are registered through social. Maybe some
administrators don't want this, but in fact many sites on Internet
requires this for Social registration and in fact that's what I did in
GateIn portal as well.
So I wonder if we shouldn't remove the realm boolean attribute
"updateProfileOnInitialSocialLogin" and add new attribute like
"socialRegistrationRequiredActions", which will contain array of
required actions after social registration. So for example:
- If administrator wants users to be registered automatically through
social without need to confirm anything, he can use empty array (same
like currently updateProfileOnInitialSocialLogin=false)
- If administrator wants users to confirm their attributes (firstName,
lastname, email...), he will just add action UPDATE_PROFILE (same like
currently updateProfileOnInitialSocialLogin=true)
- If administrator wants users to confirm attributes and also fill
password, he will add both UPDATE_PROFILE and UPDATE_PASSWORD into this
array
wdyt?
Marek
More information about the keycloak-dev
mailing list