[keycloak-dev] Email constraint violation when updating profile

Stian Thorgersen stian at redhat.com
Tue Jan 6 08:25:45 EST 2015 


----- Original Message -----
> From: "Pedro Igor Silva" <psilva at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> Sent: Tuesday, 6 January, 2015 2:14:21 PM
> Subject: Re: [keycloak-dev] Email constraint violation when updating profile
> 
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Pedro Igor Silva" <psilva at redhat.com>
> > Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > Sent: Tuesday, January 6, 2015 9:53:56 AM
> > Subject: Re: [keycloak-dev] Email constraint violation when updating
> > profile
> > 
> > This is a corner case and we can safely ignore it until someone complains
> > about it. There are also already ways to work around it:
> > 
> > 1) User logs into account console, removes the social/broker link, logs in
> > to
> > the other account and adds the social link
> > 2) User talks to admin, admin deletes one account (or removes social/broker
> > link), then user can link to existing account
> > 
> > When we implemented linking of accounts in the first place me and Marek
> > discussed this issue over and over. Whichever solution we came up with had
> > issues, both technical and usability issues. So end of the day we decided
> > that as there's a work around to it, and that it won't be a very common
> > problem, we could safely ignore it.
> 
> Not sure if you can safely ignore it. Users will get an ugly error on their
> browser, instead of a proper error message. If you just check for a
> duplicate email in
> org.keycloak.services.resources.LoginActionsService#updateProfile, that
> would be enough to avoid the error. And this is should be very simple.

Agree it should be a proper error message. I didn't get that was the problem. It shouldn't check for duplicate email though, it should rely on db constraints as otherwise you can't guarantee it doesn't exist, but still an easy fix. Can you create a separate JIRA issue for it with and we'll fix for 1.1.0.Final?

> 
> > 
> > With regards to the proposed solution, that was one we visited, but it has
> > several issues. Creating the user after doesn't work as we need to have
> > somewhere to store the information and it would also add more complexity to
> > required actions. Also, it doesn't work if update profile is not required
> > on
> > first login or if email is not required. In either of those cases you end
> > up
> > with at some point in the future the user may try to update the account
> > with
> > their email and get the same problem.
> 
> Not really, the validation above should be enough.
> 
> Still not convinced :) I understand the technical blockers, but they should
> not be blockers to offer a better usability.
> 
> From a business perspective, the workflow is wrong. You can not store the
> user before getting the input from the user when update profile is enabled.
> That is what you see around the web and what KC does partially.

You can argue which workflow is better, but both are perfectly valid. There's nothing wrong with storing the user before update profile. If there's a update profile required action associated with the account the user is not able to use the account until the profile has been updated. Absolutely nothing wrong with the current flow, other than the potential of the user wanting to set an email address that already exists, which there are many other much simpler solutions to than what you are proposing. End of the day you'll provide the same error message to the user, so from a usability perspective there's no difference whether or not the it's stored in the db or not.

> 
> > 
> > ----- Original Message -----
> > > From: "Pedro Igor Silva" <psilva at redhat.com>
> > > To: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > > Sent: Tuesday, 6 January, 2015 12:33:30 PM
> > > Subject: [keycloak-dev] Email constraint violation when updating profile
> > > 
> > > Hi,
> > > 
> > >     Would like to know your thoughts on KEYCLOAK-924 [1].
> > > 
> > >     Looks like there is an issue with the "Update Profile" workflow that
> > >     also
> > >     impacts social authentication and account linking.
> > > 
> > > Regards.
> > > Pedro Igor
> > > 
> > > [1] https://issues.jboss.org/browse/KEYCLOAK-924
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > 
> > 
>

More information about the keycloak-dev mailing list