[keycloak-dev] Introduce option to select username mode for a realm

Marek Posolda mposolda at redhat.com
Wed Oct 7 08:48:21 EDT 2015 

On 07/10/15 14:38, Stian Thorgersen wrote:
> I agree mobile can be done with a separate authenticator, it's 
> probably not that much additional work to add either. However, that 
> doesn't change the account management console, registration screens, 
> etc.. So there's more work than that + quite a lot of configuration 
> needed to use mobile instead of email/username.
>
> It would be nice to have a configurable option on the username/email 
> authenticator to support only email though. I think we may have this 
> already but it's a realm option rather than a configuration option on 
> the authenticator. Same arguments here, if someone just wants to use 
> email, the username shouldn't be displayed on login, registration and 
> account management.
Hmm... looks that we already have "isRegistrationEmailAsUsername" on 
RealmModel. This seems to affect just the registration screen, so admin 
have possibility to use different username and email, however 
self-registered user has same username and email. Maybe this one can be 
replaced from "boolean" to enum with more options?

Marek

>
> On 7 October 2015 at 14:28, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 06/10/15 09:50, Stian Thorgersen wrote:
>>     We've have someone from the community that wants to use mobile
>>     number as the username, as well as verify mobile number by
>>     sending a code via SMS. See "Login by mobile number" thread in
>>     user mailing list for more details. They are also willing to
>>     contribute this back to the community.
>>
>>     That made me think it may be nice to be able to configure the
>>     behavior of the username "field" for a realm. We could have a
>>     simple drop-down in the admin console to configure username mode,
>>     with the following options:
>>
>>     * Username/email - default behavior where a user provides both a
>>     username and email, and the user can login with either. In this
>>     mode email has to be unique.
>>     * Username - a user can only login with a username. In this mode
>>     we could relax the requirement that email has to be unique (that
>>     may be difficult though as it would require not using a database
>>     constraint, which may make it rather difficult to guarantee
>>     uniqueness in other modes)
>     Even if we add the option, I wouldn't remove email uniqueness.
>     Admin can decide to change the mode back to "Username" to "Email"
>     and then some users won't be able to login due to many users with
>     same email. Also is there usecase when there are 2 different users
>     in realm with same email?
>>     * Email - in this mode only email can be used to login. In this
>>     mode username field would not be displayed on the registration
>>     form or account management console. In the token the username
>>     would be set to email. In this mode verify email address should
>>     be enabled by default.
>>     * Mobile - user logs in with a mobile number. We can either just
>>     add mobile number to the username field or add a new mobile field
>>     and require uniqueness on that field. In this mode verify mobile
>>     number should be enabled by default.
>     For the "Mobile" support, isn't an option to remove default
>     username/password Authenticator and add new Authenticator based on
>     mobile number? Also registration screen can be customized and
>     account management as well. Also user can already use protocol
>     mapper to map "mobile_number" attribute to "preferred_username" or
>     whatever he wants into access token.
>
>     TBH advantages of introducing new option are bit unclear to me. It
>     looks like adding another complexity, which is not needed as
>     authentication with mobile can be done with the SPIs we have now IMO.
>
>     Marek
>>
>>     With regards to implementation I think it would be easier to make
>>     the existing username/password authenticator, registration form
>>     and account management adopt to the mode rather than have
>>     separate authenticators, etc.. for each mode.
>>
>>
>>     _______________________________________________
>>     keycloak-dev mailing list
>>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151007/2f081e39/attachment.html

More information about the keycloak-dev mailing list