[keycloak-dev] Linking social accounts

Stian Thorgersen stian at redhat.com
Mon Mar 10 13:22:47 EDT 2014 


----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 10 March, 2014 3:33:59 PM
> Subject: Re: [keycloak-dev] Linking social accounts
> 
> On 10.3.2014 15:13, Stian Thorgersen wrote:
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Monday, 10 March, 2014 1:01:41 PM
> >> Subject: Re: [keycloak-dev] Linking social accounts
> >>
> >>
> >> On 3/10/2014 6:02 AM, Marek Posolda wrote:
> >>> I've sent PR https://github.com/keycloak/keycloak/pull/275 for
> >>> linking/unlinking social accounts into already existing Keycloak user
> >>> account.
> >>>
> >>> I've created another JIRA https://issues.jboss.org/browse/KEYCLOAK-354,
> >>> which will allow that administrator will be able to see, which social
> >>> networks are connected for user 'john'. We discussed with Stian that
> >>> read-only possibility for admin is probably sufficient (ie. admin can
> >>> just review that john is linked to Facebook and Google, but he doesn't
> >>> have possibility to remove this linking or add new linking of this user
> >>> to other social networks).
> >>>
> >>> There is also this bug https://issues.jboss.org/browse/KEYCLOAK-334,
> >>> which means that users registered through social can't change their
> >>> passwords because changing password requires filling already existing
> >>> password and user 'john' doesn't have existing password when he
> >>> registered himself through Facebook... It seems that for user without
> >>> password, there should be possibility to skip the need to fill existing
> >>> password. Maybe there should be new model method like:
> >>>
> >> I think I submitted a similar bug to this in regards to "forgot password".
> > In the account management pages you need to provide the existing password.
> > The login pages will allow you to reset the password through a link in an
> > email without the password.
> >
> > The account management pages asks for this password to prevent hijacking an
> > account if someone forgets to logout from a shared machine.
> >
> >> I also want you to think about linking Social Accounts with existing
> >> Keycloak Accounts.  I believe sso.jboss.org will want to do this as I
> >> think people will want to use their Github user accounts to log into
> >> jboss.org JIRA without having to redo permissions.
> This is what I did in my recent PR. So currently each user have new tab
> "social" in account management where he can link/unlink social networks
> with his account. He can obviously use just social networks configured
> for particular realm. Sorry that I did not describe it in my first mail.
> >>
> >>
> >>> boolean  RealmModel hasPassword(UserModel user);
> >>>
> >>> or even more flexible:
> >>>
> >>> boolean  RealmModel hasCredential(UserModel user,String  credentialType);
> >>>
> >>> Not sure if this is sufficient though, because users registered through
> >>> social won't need to fill existing passwords, which could mean that
> >>> someone can hijack their session as Stian pointed.RootMongoConfigRe
> >>>
> >>> So I was also thinking if we can require that users will need to fill
> >>> their password if they are registered through social. Maybe some
> >>> administrators don't want this, but in fact many sites on Internet
> >>> requires this for Social registration and in fact that's what I did in
> >>> GateIn portal as well.
> >>>
> >> Why would a password be required for a social login?  The whole point of
> >> a social login is to delegate authentication.  I can see you maybe
> >> wanting to add 2-factor auth and other security constraints to a social
> >> login, but a password?  no.
> > Someone may have initially started using social login, but later wants to
> > change to a regular login. To do so they would have to set a password.
> > Also, setting a password would allow someone a backup way of accessing
> > their account should the social network be done, they've lost their
> > account there, or for whatever other reason they can't use the social
> > login any more.
> >
> > The best user experience would come from having a set password option in
> > account management without requiring the 'current' password as it doesn't
> > exist. I think that's ok, but I'm a little bit worried about that allowing
> > someone to potentially hijack an account (see above).
> >
> >>
> >>> So I wonder if we shouldn't remove the realm boolean attribute
> >>> "updateProfileOnInitialSocialLogin" and add new attribute like
> >>> "socialRegistrationRequiredActions", which will contain array of
> >>> required actions after social registration. So for example:
> >>> - If administrator wants users to be registered automatically through
> >>> social without need to confirm anything, he can use empty array (same
> >>> like currently updateProfileOnInitialSocialLogin=false)
> >>> - If administrator wants users to confirm their attributes (firstName,
> >>> lastname, email...), he will just add action UPDATE_PROFILE (same like
> >>> currently updateProfileOnInitialSocialLogin=true)
> >>> - If administrator wants users to confirm attributes and also fill
> >>> password, he will add both UPDATE_PROFILE and UPDATE_PASSWORD into this
> >>> array
> > I think that's a good idea. This would also be nice to have for standard
> > registrations as well. At the moment we have an on/off for validate
> > password, but it would be better to have two fields:
> >
> > - Actions on first login
> > - Actions on first social login
> >
> > These would be multi-select fields, same as we have for required fields on
> > a users account.
> yeah, I can create JIRA for these and assign myself the one for "social"
> login? I wonder if it's really not sufficient to provide the possibility
> of these required actions and address
> https://issues.jboss.org/browse/KEYCLOAK-334 just with this?
> 
> I can imagine that:
> - some admins want users to always setup their password immediatelly
> after social login. So they can add UPDATE_PASSWORD to required actions
> - Other administrators may setup SMTP password, so people can use
> "forgot password" functionality if they want to setup/reset password.
> - Other administrators don't want users to use passwords at all if they
> decided to register with social networks as Bill mentioned. I can
> imagine that some administrator doesn't want to maintain user passwords
> at DB at all and he wants all users to be registered through some social
> network like Facebook

There's a JIRA for social only login. This would probably be something as simple as adding an option to disable normal login, which would remove the username/password fields from login form, and also remove the set password link in account management. Pretty simple to add.

> >
> >>
> >> I'd like to see an option for "Do you have an existing account?  If so,
> >> please log in to link this account to your social account."
> > That would be nice, and we wanted to add some integration with the login
> > forms later. This time around it's been focused on the account management.
> > So you can add a social link to an existing account (doesn't matter if
> > that existing account uses standard password login, or social login). You
> > can also add as many as you want, so you can login to the same account
> > with username/password or any of the social providers we have.
> Possibility to link with existing KC account after successful social
> login seems to be much more tricky than linking/unlinking accounts in
> Account management when we know that user is already successfully logged
> in Keycloak.
> 
> Example flow:
> 1) I want to login into Keycloak and I click to "Login with google"
> 2) After login in google as user "john at gmail.com" and after confirming
> permissions, I am redirected back to Keycloak. Now Keycloak asks me: Do
> you have an existing account?
> 3) I click to "yes"
> 4) Now what exactly should happen? IMO it should display login form
> again, but without "Login with google" button. The tricky thing is, that
> I am not yet logged in Keycloak, but I want to link existing Keycloak
> account with google account "john at gmail.com". So it should allow me to
> login, but obviously now without possibility to "login with google".
> 5) Now user can click to "Login with Facebook", but again he doesn't
> have facebook account linked yet. So now it returns to step2. In the
> end, there could be something like recursive chain of 5 social networks
> to link during one login.

I think what we have now is sufficient. Anything we add will make the most common case (one social or password) less optimal.

We could add a way for users to delete their account, as well as merging accounts.

> 
> Maybe to simplify this, in step 4 it shouldn't be allowed to login with
> other social network, but just with password or TOTP?
> 
> Marek
> >
> >
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
>

More information about the keycloak-dev mailing list