[keycloak-user] Multiple Social Providers for Single Account

Marek Posolda mposolda at redhat.com
Fri Jun 13 08:57:27 EDT 2014


At this moment, if you have Facebook and Google account and both have 
same email address "foo at gmail.com" , you need to either:

1) Register user first with Facebook, which will create new user account 
in Keycloak with email address "foo at gmail.com" and this account will be 
linked with Facebook. Then you can link this user with Google in Account 
Management UI. In this way, user with email "foo at gmail.com" will be 
linked to both Facebook and Google and from this point he can login to both.

2) Manually register user with email "foo at gmail.com" and then link him 
in Account Management with both Facebook and Google.

What you can't do ATM is to register user with Facebook first (like in 
first part of flow 1), then logout and then try to register him with 
Google. In this case user is not yet linked to Google, but user account 
with email address "foo at gmail.com" already exists in Keycloak. So that's 
why it fails because there is enforcement to have unique email addresses 
in Keycloak.

  I agree that it would be nice to have support for this flow. I think 
when trying to SignIn with Google in case that user with this email 
already exists, Keycloak should display screen with some message like: 
"User with address foo at gmail.com already exists. Do you want to link 
your account with this one?" . In case that user choose "Yes" he will 
need to login into Keycloak via some different form. If user choose "No" 
registration will be finished as failed. Support for this flow is a bit 
tricky and IMO it won't be possible to do it in Keycloak 1.0.Final, but 
probably somewhere later. What we can do in 1.0.Final IMO is just do a 
small fix in UI that there is no exception message like 
"ModelDuplicateException" displayed somewhere in UI, but instead some 
more friendly message will be shown like: "Your email foo at gmail.com 
already exists in Keycloak. Login first and then link your account with 


On 9.6.2014 21:28, Rodrigo Sasaki wrote:
> I guess it can wait, it would be good to get this sorted but I know 
> you're all very busy.
> I'll download the master branch again and see what I can find
> On Mon, Jun 9, 2014 at 4:13 PM, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>     Stian wrote this code and is at a face to face meeting this week.  Can
>     you wait until next week for an answer?  I could look into it, but I'm
>     focused on some caching features and pushing out Beta 3 at the moment.
>     On 6/9/2014 10:43 AM, Rodrigo Sasaki wrote:
>     > I've been trying to work with the Social Providers feature of
>     Keycloak,
>     > but I've had some problems.
>     >
>     > First of all I'm using the beta-2 version, and I created
>     Facebook and
>     > Google links to applications I have there and it worked fine.
>     >
>     > If I create a new user logging in with Facebook it works
>     > If I create a new user logging in with Google it works aswell.
>     >
>     > When I try linking things, that's where things go wrong.
>     >
>     > I have created a new Keycloak user, and accessed:
>     >
>     > *http://localhost:8080/auth/realms/myrealm/account*
>     >
>     > and on that URL I associated my Google and Facebook accounts,
>     when I do
>     > it like that, it all works fine, but when I tried to see if it
>     worked
>     > automatically it all went south.
>     >
>     > I deleted the social links from this account, and then tried to
>     login to
>     > a keycloak secured application via Facebook, and the e-mail of my
>     > Facebook account is the same of the keycloak accunt, which led to an
>     > exception
>     >
>     > /org.keycloak.models.ModelDuplicateException:
>     > javax.persistence.PersistenceException:
>     > org.hibernate.exception.ConstraintViolationException: ERROR:
>     duplicate
>     > key value violates unique constraint "userentity_realm_email_key"/
>     >
>     > The same happens if I have no account at all, and create one with
>     > Facebook, then try logging in with Google.
>     >
>     > Is there something I'm missing, or is this flow still being
>     worked on?
>     >
>     > I have read this wiki, and I think it's the item 5 that isn't
>     working
>     > correctly
>     >
>     >
>     https://github.com/keycloak/keycloak/wiki/Registration-Authentication-with-social-providers-and-linking-of-social-accounts
>     >
>     >
>     > --
>     > Rodrigo Sasaki
>     >
>     >
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
> -- 
> Rodrigo Sasaki
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140613/2cb52ca3/attachment.html 

More information about the keycloak-user mailing list