[keycloak-dev] Email/ username case-sensitivity issues

Stian Thorgersen stian at redhat.com
Mon Jul 20 00:42:49 EDT 2015 


----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 17 July, 2015 7:37:58 PM
> Subject: [keycloak-dev] Email/ username case-sensitivity issues
> 
> There are some case-sensitivity issues, which cause that sometimes you
> can add object with duplicated email/username into DB etc. Some details
> are at https://issues.jboss.org/browse/KEYCLOAK-1545 or
> https://issues.jboss.org/browse/KEYCLOAK-1551 . Those issues happened
> with LDAP, but generally issues are not LDAP specific - for example even
> without LDAP integration you can add user with email "JOHN at keycloak.org"
> and then "john at keycloak.org" . Second user is created successfully,
> which doesn't look correct to me.
> 
> The solutions I can see is:
> 1) Ensure that username and email is always added lowercased into DB and
> then searched lowercased. We already fixed similar issues earlier, but
> not entirely . Right now, we are adding username lowercased and
> searching both username and email lowercased, but we are not adding
> email lowercased. I've sent PR when I am convert both username and email
> to lowercase in UserAdapter.setEmail and UserAdapter.setUserName -
> https://github.com/mposolda/keycloak/commit/66f16bf654fc22570ce9ef7b34c47039266fe61d
> 
> 
> 2) Another approach can be to add usernames and emails case sensitively,
> but instead ensure that DB searching is case insensitive (lowercased).
> For JPA there is "lower" function in HQL, but I am not sure if it's
> supported for various databases (and I would really like to avoid DB
> specific failures TBH...;-)   ).  For Mongo there is possibility to
> search with regex to achieve case-insensitive search but it sucks due to
> performance- so in this case we may need to add separate columns
> username_lowercased and email_lowercased, which will be used for
> searching to ensure index is used...
> 
> I like (1) much more and that's what I used in PR. Any objections
> against merging it?

+1 To (1) that's what we intended to do the first time around, but seem to have forgotten email by mistake. We had the same discussion then about local part being case sensitive back then as well ;)

> 
> Or is it bad to assume that email are case insensitive? Strictly said,
> the "local" part of email is supposed to be case sensitive, so
> "JOHN at keycloak.org" and "john at keycloak.org" are theoretically different
> emails. But in reality most organizations and mail servers treat them as
> same emails - including Google. Just checked that I can successfully
> login to Google with MPosOLDA at gmail.com .
> 
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list