[keycloak-dev] Email/ username case-sensitivity issues

Stian Thorgersen stian at redhat.com
Mon Jul 20 02:10:12 EDT 2015 

Marek: assigned https://issues.jboss.org/browse/KEYCLOAK-1544 to you as it's related to fix you've done

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Marek Posolda" <mposolda at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 20 July, 2015 6:42:49 AM
> Subject: Re: [keycloak-dev] Email/ username case-sensitivity issues
> 
> 
> 
> ----- Original Message -----
> > From: "Marek Posolda" <mposolda at redhat.com>
> > To: keycloak-dev at lists.jboss.org
> > Sent: Friday, 17 July, 2015 7:37:58 PM
> > Subject: [keycloak-dev] Email/ username case-sensitivity issues
> > 
> > There are some case-sensitivity issues, which cause that sometimes you
> > can add object with duplicated email/username into DB etc. Some details
> > are at https://issues.jboss.org/browse/KEYCLOAK-1545 or
> > https://issues.jboss.org/browse/KEYCLOAK-1551 . Those issues happened
> > with LDAP, but generally issues are not LDAP specific - for example even
> > without LDAP integration you can add user with email "JOHN at keycloak.org"
> > and then "john at keycloak.org" . Second user is created successfully,
> > which doesn't look correct to me.
> > 
> > The solutions I can see is:
> > 1) Ensure that username and email is always added lowercased into DB and
> > then searched lowercased. We already fixed similar issues earlier, but
> > not entirely . Right now, we are adding username lowercased and
> > searching both username and email lowercased, but we are not adding
> > email lowercased. I've sent PR when I am convert both username and email
> > to lowercase in UserAdapter.setEmail and UserAdapter.setUserName -
> > https://github.com/mposolda/keycloak/commit/66f16bf654fc22570ce9ef7b34c47039266fe61d
> > 
> > 
> > 2) Another approach can be to add usernames and emails case sensitively,
> > but instead ensure that DB searching is case insensitive (lowercased).
> > For JPA there is "lower" function in HQL, but I am not sure if it's
> > supported for various databases (and I would really like to avoid DB
> > specific failures TBH...;-)   ).  For Mongo there is possibility to
> > search with regex to achieve case-insensitive search but it sucks due to
> > performance- so in this case we may need to add separate columns
> > username_lowercased and email_lowercased, which will be used for
> > searching to ensure index is used...
> > 
> > I like (1) much more and that's what I used in PR. Any objections
> > against merging it?
> 
> +1 To (1) that's what we intended to do the first time around, but seem to
> have forgotten email by mistake. We had the same discussion then about local
> part being case sensitive back then as well ;)
> 
> > 
> > Or is it bad to assume that email are case insensitive? Strictly said,
> > the "local" part of email is supposed to be case sensitive, so
> > "JOHN at keycloak.org" and "john at keycloak.org" are theoretically different
> > emails. But in reality most organizations and mail servers treat them as
> > same emails - including Google. Just checked that I can successfully
> > login to Google with MPosOLDA at gmail.com .
> > 
> > Marek
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list