[keycloak-dev] Plan for "First login with identity brokers"
Bill Burke
bburke at redhat.com
Tue Nov 3 09:54:47 EST 2015
-100. The default should be to create a duplicate account.
On 11/3/2015 7:18 AM, Stian Thorgersen wrote:
> Sounds good
>
> On 3 November 2015 at 12:24, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> I have a prototype in progress, which I am going to present on
> Thursday call. It's based on authentication SPI, so it's quite
> flexible .
>
> Current default behaviour is, when it detects duplicated email, it
> displays the page with "Duplication detected. What do you want to
> do?" Then user can:
> - Go back and edit the profile. So user is not required to link
> provider as long as he provides different unique email
> - Link the provider. At this point, he need either to reauthenticate
> by different way (password+otp or already linked identity provider)
> or confirm the linking via email
>
> Marek
>
>
> On 03/11/15 09:31, Stian Thorgersen wrote:
>> Would be even simpler for users if we just removed authentication
>> completely and only had the username on the login form - we could
>> just add a statement "only use your own username, we trust you to
>> not try to login as someone else" ;)
>>
>> Seriously though - social accounts are hacked all the time and
>> allowing this auto linking of accounts without requiring users to
>> authenticate to the existing account is just plain scary.
>>
>> The solution to the use case you've given is not login with
>> another social provider, it's having good account recovery options
>> in place.
>>
>> On 30 October 2015 at 14:57, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>> There's an alternative problem. Logs in with Twitter in
>> 2005. Logs in again 2015 with Google. Is required to link
>> with Twitter, says "screw it" because he doesn't remember his
>> Twitter password and just closes his browser and doesn't use
>> the website.
>>
>> I've been on really popular high-traffic sites where their
>> google login was broken for months (mmqb.si.com
>> <http://mmqb.si.com> which is an NFL website for Sports
>> Illustrated). I used my Facebook identity instead. If I had
>> been required to merge accounts manually, I would have not
>> been able to use the site.
>>
>> On 10/29/2015 4:35 PM, Stian Thorgersen wrote:
>>
>> Linking accounts automatically is fine, but we should not
>> have an option
>> that can do that without requiring users to authenticate
>> first.
>>
>> There are so many cases where a user could have one social
>> account
>> compromised. They may not care that much about the
>> account, they may
>> never use the service so they've completely forgotten
>> about it.
>>
>> Imagine the following scenario:
>>
>> * Tom signed up for GMail in 2005 - figured it was great
>> and continued
>> using the service the rest of his life
>> * Tom signed up for Twitter in 2005 - figured it was not
>> to his taste
>> and never used the account again
>> * Tom now read about two factor auth and configured it on
>> his GMail account
>> * Mary (a bad person) figured that the password to Toms
>> twitter account
>> was 'password' so she's gained access to Tom's Twitter -
>> Tom doesn't
>> know, but he doesn't care either
>> * Tom signs up for a website that uses Keycloak and logs
>> in with his
>> trusted GMail account
>> * Now if we let Mary login to the website that uses
>> Keycloak with Toms
>> old Twitter account, without first proving she's Tom
>> (which she can't),
>> would be just plain daft!
>>
>> On 29 October 2015 at 06:37, Bill Burke
>> <<mailto:bburke at redhat.com>bburke at redhat.com
>> <mailto:bburke at redhat.com>
>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>
>>
>>
>> On 10/29/2015 5:42 AM, Vlastimil Elias wrote:
>> >
>> >
>> > On 28.10.2015 21:32, Bill Burke wrote:
>> >> If a user has loads of social networks and links a
>> bunch of them, if
>> >> *any one* of them is compromised the entire account
>> is compromised.
>> >> Most sites using social login, the only reason is
>> there is a login is
>> >> for the appliation to collect marketing data. So,
>> the default behavior
>> >> should make things as simple as possible for the user.
>> >>
>> >> At a minimum, by default, the user should not be
>> required to link an
>> >> account if there is a conflicting duplicate email
>> given by the provider.
>> >> I have founddeveloeprs.redhat.com
>> <http://founddeveloeprs.redhat.com>
>> <http://develoeprs.redhat.com> very difficult
>> to use.
>> >
>> > yep, it is difficult to use because it have to
>> follow company's policy
>> > with unique emails and Keycloak do not provide
>> necessary support for
>> > simple and user friendly account linking currently ;-)
>> >
>>
>> Yeah, its not your fault. Its ours.
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> <mailto:keycloak-dev at lists.jboss.org>
>> <mailto:keycloak-dev at lists.jboss.org
>> <mailto:keycloak-dev at lists.jboss.org>>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>>
>>
>>
>> _______________________________________________ keycloak-dev
>> mailing list keycloak-dev at lists.jboss.org
>> <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list