[keycloak-dev] Proposal of few improvements related to "Social registration" page flows

Vlastimil Elias velias at redhat.com
Mon Jun 1 10:06:02 EDT 2015 

Hi

On 1.6.2015 14:17, Bill Burke wrote:
>
> On 6/1/2015 8:03 AM, Vlastimil Elias wrote:
>> Hi,
>>
>> we just advanced to UAT phase of our project where we use Keycloak 1.2.0
>> final for user management, and we got feedback from testers.
>> They proposed few improvements related to "Social registration" flows
>> over OAuth identity providers (github, google, ...).
>>
>> 1. Perform "Update Profile on First Login" only if some of mandatory
>> user profile fields is missing
>> Current "Update Profile on First Login" setting in "Identity provider"
>> configuration is on/off switch only. But response  from some identity
>> providers (like Github, Facebook) differs for distinct users, email is
>> returned sometimes and sometimes not. We would like to show "Update
>> Profile" page on first login only for users without email address
>> (generalized a bit means without some of mandatory user profile info,
>> which is currently email, name and surname) to simplify user flow for
>> other users.
>>
>> Best implementation is probably to change "Update Profile on First
>> Login" option in "Identity provider" configuration from On/Off switch to
>> a select with three values:
>> "On", "On missing only", "Off".
>>
>>
>> 2. Do not perform email verification if email is provided by trusted
>> Identity provider
>> If "Verify email" option is enabled in Settings > Login, then it is
>> applied to all KC users accounts, both created over registration form
>> and as result of social login.
>> We would like to simplify user flow for users who registered over social
>> provider where we can trust email (like google) and skip this step in
>> this case.
>>
>> I see two ways for configuration on per "Identity provider" basis: add
>> new "Trust email" configuration option into "Identity provider" config
>> page, or add special Mapper for providers called "Trust email" which
>> will mark email as verified if provided by given identity provider.
>>
>> 3. Allow to map other informations provided by OAuth Identity providers
>> into Keycloak user profile attributes
>> Identity provider configuration contains "Mappers" configuration
>> already, but only "Hardcoded role" mapper is available here for OAuth
>> providers.
>> We should add something like "Attribute Importer" already available for
>> SAML providers.
>>
> You really mean mappers are needed for social providers.  Their token
> formats are all different.  This is why we don't have mappers for them.

User profile returned from social provider is typically flat JSON object 
(eg for github 
https://developer.github.com/v3/users/#get-a-single-user), so we can 
create universal mapper where one configuration property will say name 
of field in the JSON object and second one will say name of attribute in 
KC user profile to copy value into.
We should also implement some simple dot notation to be able to deeper 
nest in JSON object returned from social provider if necessary.

I looked into all current providers and they use JsonNode to represent 
profile loaded from social providers, so it should be easy to implement 
mapper based on field names.
Only exception is Twitter provider which uses twitter4j library, but it 
should be solvable also.

Vl.
>
>> 4. allow to extend "Update Profile on First Login" page with other
>> fields stored into user profile attributes
>> My colleague created an issue for this already -
>> https://issues.jboss.org/browse/KEYCLOAK-1361
>>
>>
>> 5. Link social account into KC user account if email conflict is
>> detected and user authenticated afterwards
>> When user clicks Social login provider on login page, and social
>> provider returns email which already exists for other KC user, then
>> login page is shown with error message like "User with email already
>> exists. Please login to account management to link the account.". This
>> is really not very user friendly, as user is returned to original
>> page/application after login and it may be a bit complicated for him to
>> go into account management page and link account there.
>> I believe that once user provides correct username and password on this
>> login page then social account should be automatically linked to KC
>> account user just authenticated to. Then user should be redirected to
>> originating application. If this "social account autolink" should be
>> able to survive "Forgot password" flow then even better ;-)
>>
> I like the auto-link after login.  All good suggestions.
>

-- 
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team

More information about the keycloak-dev mailing list