[keycloak-user] Multiple Social Providers for Single Account

Stian Thorgersen stian at redhat.com
Tue Jun 17 06:52:06 EDT 2014


Seems I replied without the list, so including list as cc.

I've looked at your alterations and I'm not confident with letting users link to an existing account without login in to that account first. We should be able to do this relatively easily though.

If you're interested in looking at doing this work let me know and I can give you some pointers. Basically the idea is if an account with the same email exists:

* Use callback url from social provider, including query params, as redirect-uri
* Return login form with message saying user with email exists, please login to link accounts
* Login form is submitted and processed by token service as usual
* Login form redirects to social callback uri
* Social callback uri creates social link (which it can do now as the user is authenticated)
* Redirect to app

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <sthorger at redhat.com>
> Sent: Wednesday, 11 June, 2014 1:41:13 PM
> Subject: Re: [keycloak-user] Multiple Social Providers for Single Account
> 
> That is totally fine, I'm just hoping I can help you guys somehow,
> contribute with something too
> 
> 
> On Wed, Jun 11, 2014 at 9:07 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
> 
> > I'll have a look at it and get back to you. It won't be until beginning of
> > next week though.
> >
> > Rodrigo Sasaki <rodrigopsasaki at gmail.com> wrote:
> >
> >
> > We need this feature now, so we're making some alterations to make it work
> > for us.
> >
> > Although we'd like to contribute to the Keycloak project if you feel our
> > alteration is fitting. We have done some tests, and we changed the
> > SocialResource class to treat this special flow.
> >
> > What we did is add a step to find the user by e-mail, before going into
> > the block where it creates a new user from scratch. I'm not a security
> > specialist, that's why I'd like you to take a look at it, because there may
> > exist security flaws that I'm not aware of, and if we can come up with
> > something that looks good, we could submit a PR for the project.
> >
> > Here's how our code looks now, we built it on top of the beta-2 source:
> > http://pastebin.com/H9S0fWjH
> >
> > I highlighted the part where alterations begin and end.
> >
> > I hope we can help each other in this.
> >
> > Best regards,
> > Rodrigo
> >
> >
> > On Tue, Jun 10, 2014 at 8:11 AM, Stian Thorgersen <sthorger at redhat.com>
> > wrote:
> >
> >> Currently the only way we support to link multiple accounts is through
> >> the account managent. There's no automatic linking, so the problem you're
> >> seeing is at the moment the expected behavior as we only allow one account
> >> per email.
> >>
> >> We would like to improve this flow in the future, and any suggestions on
> >> how it could/should work would be great. It would most likely not be added
> >> until after 1.0.final.
> >>
> >> Rodrigo Sasaki <rodrigopsasaki at gmail.com> wrote:
> >>
> >>
> >> I guess it can wait, it would be good to get this sorted but I know
> >> you're all very busy.
> >>
> >> I'll download the master branch again and see what I can find
> >>
> >>
> >> On Mon, Jun 9, 2014 at 4:13 PM, Bill Burke <bburke at redhat.com> wrote:
> >>
> >>> Stian wrote this code and is at a face to face meeting this week.  Can
> >>> you wait until next week for an answer?  I could look into it, but I'm
> >>> focused on some caching features and pushing out Beta 3 at the moment.
> >>>
> >>> On 6/9/2014 10:43 AM, Rodrigo Sasaki wrote:
> >>> > I've been trying to work with the Social Providers feature of Keycloak,
> >>> > but I've had some problems.
> >>> >
> >>> > First of all I'm using the beta-2 version, and I created Facebook and
> >>> > Google links to applications I have there and it worked fine.
> >>> >
> >>> > If I create a new user logging in with Facebook it works
> >>> > If I create a new user logging in with Google it works aswell.
> >>> >
> >>> > When I try linking things, that's where things go wrong.
> >>> >
> >>> > I have created a new Keycloak user, and accessed:
> >>> >
> >>> > *http://localhost:8080/auth/realms/myrealm/account*
> >>> >
> >>> > and on that URL I associated my Google and Facebook accounts, when I do
> >>> > it like that, it all works fine, but when I tried to see if it worked
> >>> > automatically it all went south.
> >>> >
> >>> > I deleted the social links from this account, and then tried to login
> >>> to
> >>> > a keycloak secured application via Facebook, and the e-mail of my
> >>> > Facebook account is the same of the keycloak accunt, which led to an
> >>> > exception
> >>> >
> >>> > /org.keycloak.models.ModelDuplicateException:
> >>> > javax.persistence.PersistenceException:
> >>> > org.hibernate.exception.ConstraintViolationException: ERROR: duplicate
> >>> > key value violates unique constraint "userentity_realm_email_key"/
> >>> >
> >>> > The same happens if I have no account at all, and create one with
> >>> > Facebook, then try logging in with Google.
> >>> >
> >>> > Is there something I'm missing, or is this flow still being worked on?
> >>> >
> >>> > I have read this wiki, and I think it's the item 5 that isn't working
> >>> > correctly
> >>> >
> >>> >
> >>> https://github.com/keycloak/keycloak/wiki/Registration-Authentication-with-social-providers-and-linking-of-social-accounts
> >>> >
> >>> >
> >>> > --
> >>> > Rodrigo Sasaki
> >>> >
> >>> >
> >>> > _______________________________________________
> >>> > keycloak-user mailing list
> >>> > keycloak-user at lists.jboss.org
> >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>> >
> >>>
> >>> --
> >>> Bill Burke
> >>> JBoss, a division of Red Hat
> >>> http://bill.burkecentral.com
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> >>
> >>
> >> --
> >> Rodrigo Sasaki
> >>
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 


More information about the keycloak-user mailing list