[keycloak-dev] Linking social accounts

Bill Burke bburke at redhat.com
Mon Mar 10 09:01:41 EDT 2014 

On 3/10/2014 6:02 AM, Marek Posolda wrote:
> I've sent PR https://github.com/keycloak/keycloak/pull/275 for
> linking/unlinking social accounts into already existing Keycloak user
> account.
>
> I've created another JIRA https://issues.jboss.org/browse/KEYCLOAK-354,
> which will allow that administrator will be able to see, which social
> networks are connected for user 'john'. We discussed with Stian that
> read-only possibility for admin is probably sufficient (ie. admin can
> just review that john is linked to Facebook and Google, but he doesn't
> have possibility to remove this linking or add new linking of this user
> to other social networks).
>
> There is also this bug https://issues.jboss.org/browse/KEYCLOAK-334,
> which means that users registered through social can't change their
> passwords because changing password requires filling already existing
> password and user 'john' doesn't have existing password when he
> registered himself through Facebook... It seems that for user without
> password, there should be possibility to skip the need to fill existing
> password. Maybe there should be new model method like:
>

I think I submitted a similar bug to this in regards to "forgot password".

I also want you to think about linking Social Accounts with existing 
Keycloak Accounts.  I believe sso.jboss.org will want to do this as I 
think people will want to use their Github user accounts to log into 
jboss.org JIRA without having to redo permissions.


> boolean  RealmModel hasPassword(UserModel user);
>
> or even more flexible:
>
> boolean  RealmModel hasCredential(UserModel user,String  credentialType);
>
> Not sure if this is sufficient though, because users registered through social won't need to fill existing passwords, which could mean that someone can hijack their session as Stian pointed.
>
> So I was also thinking if we can require that users will need to fill
> their password if they are registered through social. Maybe some
> administrators don't want this, but in fact many sites on Internet
> requires this for Social registration and in fact that's what I did in
> GateIn portal as well.
>

Why would a password be required for a social login?  The whole point of 
a social login is to delegate authentication.  I can see you maybe 
wanting to add 2-factor auth and other security constraints to a social 
login, but a password?  no.


> So I wonder if we shouldn't remove the realm boolean attribute
> "updateProfileOnInitialSocialLogin" and add new attribute like
> "socialRegistrationRequiredActions", which will contain array of
> required actions after social registration. So for example:
> - If administrator wants users to be registered automatically through
> social without need to confirm anything, he can use empty array (same
> like currently updateProfileOnInitialSocialLogin=false)
> - If administrator wants users to confirm their attributes (firstName,
> lastname, email...), he will just add action UPDATE_PROFILE (same like
> currently updateProfileOnInitialSocialLogin=true)
> - If administrator wants users to confirm attributes and also fill
> password, he will add both UPDATE_PROFILE and UPDATE_PASSWORD into this
> array


I'd like to see an option for "Do you have an existing account?  If so, 
please log in to link this account to your social account."

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list