[keycloak-dev] Plan for "First login with identity brokers"

Marek Posolda mposolda at redhat.com
Tue Nov 3 06:24:44 EST 2015 

I have a prototype in progress, which I am going to present on Thursday 
call. It's based on authentication SPI, so it's quite flexible .

Current default behaviour is, when it detects duplicated email, it 
displays the page with "Duplication detected. What do you want to do?" 
Then user can:
- Go back and edit the profile. So user is not required to link provider 
as long as he provides different unique email
- Link the provider. At this point, he need either to reauthenticate by 
different way (password+otp or already linked identity provider) or 
confirm the linking via email

Marek

On 03/11/15 09:31, Stian Thorgersen wrote:
> Would be even simpler for users if we just removed authentication 
> completely and only had the username on the login form - we could just 
> add a statement "only use your own username, we trust you to not try 
> to login as someone else" ;)
>
> Seriously though - social accounts are hacked all the time and 
> allowing this auto linking of accounts without requiring users to 
> authenticate to the existing account is just plain scary.
>
> The solution to the use case you've given is not login with another 
> social provider, it's having good account recovery options in place.
>
> On 30 October 2015 at 14:57, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     There's an alternative problem.  Logs in with Twitter in 2005. 
>     Logs in again 2015 with Google.  Is required to link with Twitter,
>     says "screw it" because he doesn't remember his Twitter password
>     and just closes his browser and doesn't use the website.
>
>     I've been on really popular high-traffic sites where their google
>     login was broken for months (mmqb.si.com <http://mmqb.si.com>
>     which is an NFL website for Sports Illustrated).  I used my
>     Facebook identity instead.  If I had been required to merge
>     accounts manually, I would have not been able to use the site.
>
>     On 10/29/2015 4:35 PM, Stian Thorgersen wrote:
>
>         Linking accounts automatically is fine, but we should not have
>         an option
>         that can do that without requiring users to authenticate first.
>
>         There are so many cases where a user could have one social account
>         compromised. They may not care that much about the account,
>         they may
>         never use the service so they've completely forgotten about it.
>
>         Imagine the following scenario:
>
>         * Tom signed up for GMail in 2005 - figured it was great and
>         continued
>         using the service the rest of his life
>         * Tom signed up for Twitter in 2005 - figured it was not to
>         his taste
>         and never used the account again
>         * Tom now read about two factor auth and configured it on his
>         GMail account
>         * Mary (a bad person) figured that the password to Toms
>         twitter account
>         was 'password' so she's gained access to Tom's Twitter - Tom
>         doesn't
>         know, but he doesn't care either
>         * Tom signs up for a website that uses Keycloak and logs in
>         with his
>         trusted GMail account
>         * Now if we let Mary login to the website that uses Keycloak
>         with Toms
>         old Twitter account, without first proving she's Tom (which
>         she can't),
>         would be just plain daft!
>
>         On 29 October 2015 at 06:37, Bill Burke <bburke at redhat.com
>         <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>
>
>             On 10/29/2015 5:42 AM, Vlastimil Elias wrote:
>             >
>             >
>             > On 28.10.2015 21:32, Bill Burke wrote:
>             >> If a user has loads of social networks and links a
>         bunch of them, if
>             >> *any one* of them is compromised the entire account is
>         compromised.
>             >> Most sites using social login, the only reason is there
>         is a login is
>             >> for the appliation to collect marketing data.  So, the
>         default behavior
>             >> should make things as simple as possible for the user.
>             >>
>             >> At a minimum, by default, the user should not be
>         required to link an
>             >> account if there is a conflicting duplicate email given
>         by the provider.
>             >>    I have founddeveloeprs.redhat.com
>         <http://founddeveloeprs.redhat.com>
>         <http://develoeprs.redhat.com> very difficult
>             to use.
>             >
>             > yep, it is difficult to use because it have to follow
>         company's policy
>             > with unique emails and Keycloak do not provide necessary
>         support for
>             > simple and user friendly account linking currently ;-)
>             >
>
>             Yeah, its not your fault.  Its ours.
>
>
>             --
>             Bill Burke
>             JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>         _______________________________________________
>             keycloak-dev mailing list
>         keycloak-dev at lists.jboss.org
>         <mailto:keycloak-dev at lists.jboss.org>
>         <mailto:keycloak-dev at lists.jboss.org
>         <mailto:keycloak-dev at lists.jboss.org>>
>         https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
>     -- 
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151103/d224bb24/attachment.html

More information about the keycloak-dev mailing list