[keycloak-dev] Proposal of few improvements related to "Social registration" page flows

Tue Jun 2 07:41:50 EDT 2015

Hi, I created four new JIRA Enhancement issues (KEYCLOAK-1371 - 
KEYCLOAK-1374) for my proposals.

Cheers

Vl

On 1.6.2015 14:17, Bill Burke wrote:
>
> On 6/1/2015 8:03 AM, Vlastimil Elias wrote:
>> Hi,
>>
>> we just advanced to UAT phase of our project where we use Keycloak 1.2.0
>> final for user management, and we got feedback from testers.
>> They proposed few improvements related to "Social registration" flows
>> over OAuth identity providers (github, google, ...).
>>
>> 1. Perform "Update Profile on First Login" only if some of mandatory
>> user profile fields is missing
>> Current "Update Profile on First Login" setting in "Identity provider"
>> configuration is on/off switch only. But response  from some identity
>> providers (like Github, Facebook) differs for distinct users, email is
>> returned sometimes and sometimes not. We would like to show "Update
>> Profile" page on first login only for users without email address
>> (generalized a bit means without some of mandatory user profile info,
>> which is currently email, name and surname) to simplify user flow for
>> other users.
>>
>> Best implementation is probably to change "Update Profile on First
>> Login" option in "Identity provider" configuration from On/Off switch to
>> a select with three values:
>> "On", "On missing only", "Off".
>>
>>
>> 2. Do not perform email verification if email is provided by trusted
>> Identity provider
>> If "Verify email" option is enabled in Settings > Login, then it is
>> applied to all KC users accounts, both created over registration form
>> and as result of social login.
>> We would like to simplify user flow for users who registered over social
>> provider where we can trust email (like google) and skip this step in
>> this case.
>>
>> I see two ways for configuration on per "Identity provider" basis: add
>> new "Trust email" configuration option into "Identity provider" config
>> page, or add special Mapper for providers called "Trust email" which
>> will mark email as verified if provided by given identity provider.
>>
>> 3. Allow to map other informations provided by OAuth Identity providers
>> into Keycloak user profile attributes
>> Identity provider configuration contains "Mappers" configuration
>> already, but only "Hardcoded role" mapper is available here for OAuth
>> providers.
>> We should add something like "Attribute Importer" already available for
>> SAML providers.
>>
> You really mean mappers are needed for social providers.  Their token
> formats are all different.  This is why we don't have mappers for them.
>
>> 4. allow to extend "Update Profile on First Login" page with other
>> fields stored into user profile attributes
>> My colleague created an issue for this already -
>> https://issues.jboss.org/browse/KEYCLOAK-1361
>>
>>
>> 5. Link social account into KC user account if email conflict is
>> detected and user authenticated afterwards
>> When user clicks Social login provider on login page, and social
>> provider returns email which already exists for other KC user, then
>> login page is shown with error message like "User with email already
>> exists. Please login to account management to link the account.". This
>> is really not very user friendly, as user is returned to original
>> page/application after login and it may be a bit complicated for him to
>> go into account management page and link account there.
>> I believe that once user provides correct username and password on this
>> login page then social account should be automatically linked to KC
>> account user just authenticated to. Then user should be redirected to
>> originating application. If this "social account autolink" should be
>> able to survive "Forgot password" flow then even better ;-)
>>
> I like the auto-link after login.  All good suggestions.
>

-- 
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team