[keycloak-dev] Improve first login with identity provider

Stian Thorgersen stian at redhat.com
Tue Jul 14 03:49:43 EDT 2015

We should improve the first login with identity provider flow as it's less than elegant at the moment. Some of the suggestion below is how it already works and some not!

The mechanism to detect existing accounts should include:

* Username
* Email
* Firstname and lastname

This needs to work both initially on the callback from the identity provider, but also after the user has updated the profile. If an existing account is detected the user should be given the option to do one of the following:

* Cancel
* Merge - this will require the user to authenticate as the existing user. Once authenticated the attributes, roles and identity-provider links from the new user are copied to the existing user (not overriding existing attributes/roles/links)
* Continue - only if existing account is found by firstname and lastname

For this to work it's probably easier to initially always create the account. To get around the case where email is duplicated we can set that as an temporary attribute rather than the email.

We also need to make sure we can define what attributes are required for a user in a realm, including validation of each attribute. If any of these attributes are missing the user will have to update the profile.

Finally, we should add a expires on a user account. If a user initiates the login with an identity provider, but never completes the above actions (for example closes the browser on the existing account screen, or the update profile screen) the account should automatically be removed after a given time.

With regards to required actions it should be possible to configure one or more required actions for first login for a specific identity provider.

It would be nice to nail down this flow once and for all! If we can all agree on the flow, we can allocate someone to implement it for 1.5.

More information about the keycloak-dev mailing list