[keycloak-dev] Plan for "First login with identity brokers"

Stian Thorgersen sthorger at redhat.com
Tue Nov 3 07:18:06 EST 2015


Sounds good

On 3 November 2015 at 12:24, Marek Posolda <mposolda at redhat.com> wrote:

> I have a prototype in progress, which I am going to present on Thursday
> call. It's based on authentication SPI, so it's quite flexible .
>
> Current default behaviour is, when it detects duplicated email, it
> displays the page with "Duplication detected. What do you want to do?" Then
> user can:
> - Go back and edit the profile. So user is not required to link provider
> as long as he provides different unique email
> - Link the provider. At this point, he need either to reauthenticate by
> different way (password+otp or already linked identity provider) or confirm
> the linking via email
>
> Marek
>
>
> On 03/11/15 09:31, Stian Thorgersen wrote:
>
> Would be even simpler for users if we just removed authentication
> completely and only had the username on the login form - we could just add
> a statement "only use your own username, we trust you to not try to login
> as someone else" ;)
>
> Seriously though - social accounts are hacked all the time and allowing
> this auto linking of accounts without requiring users to authenticate to
> the existing account is just plain scary.
>
> The solution to the use case you've given is not login with another social
> provider, it's having good account recovery options in place.
>
> On 30 October 2015 at 14:57, Bill Burke <bburke at redhat.com> wrote:
>
>> There's an alternative problem.  Logs in with Twitter in 2005.  Logs in
>> again 2015 with Google.  Is required to link with Twitter, says "screw it"
>> because he doesn't remember his Twitter password and just closes his
>> browser and doesn't use the website.
>>
>> I've been on really popular high-traffic sites where their google login
>> was broken for months (mmqb.si.com which is an NFL website for Sports
>> Illustrated).  I used my Facebook identity instead.  If I had been required
>> to merge accounts manually, I would have not been able to use the site.
>>
>> On 10/29/2015 4:35 PM, Stian Thorgersen wrote:
>>
>>> Linking accounts automatically is fine, but we should not have an option
>>> that can do that without requiring users to authenticate first.
>>>
>>> There are so many cases where a user could have one social account
>>> compromised. They may not care that much about the account, they may
>>> never use the service so they've completely forgotten about it.
>>>
>>> Imagine the following scenario:
>>>
>>> * Tom signed up for GMail in 2005 - figured it was great and continued
>>> using the service the rest of his life
>>> * Tom signed up for Twitter in 2005 - figured it was not to his taste
>>> and never used the account again
>>> * Tom now read about two factor auth and configured it on his GMail
>>> account
>>> * Mary (a bad person) figured that the password to Toms twitter account
>>> was 'password' so she's gained access to Tom's Twitter - Tom doesn't
>>> know, but he doesn't care either
>>> * Tom signs up for a website that uses Keycloak and logs in with his
>>> trusted GMail account
>>> * Now if we let Mary login to the website that uses Keycloak with Toms
>>> old Twitter account, without first proving she's Tom (which she can't),
>>> would be just plain daft!
>>>
>>> On 29 October 2015 at 06:37, Bill Burke < <bburke at redhat.com>
>>> bburke at redhat.com
>>> <mailto:bburke at redhat.com>> wrote:
>>>
>>>
>>>
>>>     On 10/29/2015 5:42 AM, Vlastimil Elias wrote:
>>>     >
>>>     >
>>>     > On 28.10.2015 21:32, Bill Burke wrote:
>>>     >> If a user has loads of social networks and links a bunch of them,
>>> if
>>>     >> *any one* of them is compromised the entire account is
>>> compromised.
>>>     >> Most sites using social login, the only reason is there is a
>>> login is
>>>     >> for the appliation to collect marketing data.  So, the default
>>> behavior
>>>     >> should make things as simple as possible for the user.
>>>     >>
>>>     >> At a minimum, by default, the user should not be required to link
>>> an
>>>     >> account if there is a conflicting duplicate email given by the
>>> provider.
>>>     >>    I have founddeveloeprs.redhat.com <
>>> http://develoeprs.redhat.com> very difficult
>>>     to use.
>>>     >
>>>     > yep, it is difficult to use because it have to follow company's
>>> policy
>>>     > with unique emails and Keycloak do not provide necessary support
>>> for
>>>     > simple and user friendly account linking currently ;-)
>>>     >
>>>
>>>     Yeah, its not your fault.  Its ours.
>>>
>>>
>>>     --
>>>     Bill Burke
>>>     JBoss, a division of Red Hat
>>>     http://bill.burkecentral.com
>>>     _______________________________________________
>>>     keycloak-dev mailing list
>>>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>
>
>
> _______________________________________________
> keycloak-dev mailing listkeycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151103/ab09d5ed/attachment-0001.html 


More information about the keycloak-dev mailing list