<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 07/10/15 14:38, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAcB66BFmY5Mwh_Vmyku7ioiDd0SUPV_GNBGkM6CXZiATw@mail.gmail.com"
type="cite">
<div dir="ltr">I agree mobile can be done with a separate
authenticator, it's probably not that much additional work to
add either. However, that doesn't change the account management
console, registration screens, etc.. So there's more work than
that + quite a lot of configuration needed to use mobile instead
of email/username.
<div><br>
</div>
<div>It would be nice to have a configurable option on the
username/email authenticator to support only email though. I
think we may have this already but it's a realm option rather
than a configuration option on the authenticator. Same
arguments here, if someone just wants to use email, the
username shouldn't be displayed on login, registration and
account management.</div>
</div>
</blockquote>
Hmm... looks that we already have "<span
style="background-color:#e4e4ff;">isRegistrationEmailAsUsername"
on RealmModel. This seems to affect just the registration screen,
so admin have possibility to use different username and email,
however self-registered user has same username and email. Maybe
this one can be replaced from "boolean" to enum with more options?<br>
<br>
Marek<br>
<br>
</span>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<blockquote
cite="mid:CAJgngAcB66BFmY5Mwh_Vmyku7ioiDd0SUPV_GNBGkM6CXZiATw@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 7 October 2015 at 14:28, Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div>On 06/10/15 09:50, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">We've have someone from the community
that wants to use mobile number as the username, as
well as verify mobile number by sending a code via
SMS. See "Login by mobile number" thread in user
mailing list for more details. They are also willing
to contribute this back to the community.
<div><br>
</div>
<div>That made me think it may be nice to be able to
configure the behavior of the username "field" for
a realm. We could have a simple drop-down in the
admin console to configure username mode, with the
following options:</div>
<div><br>
</div>
<div>* Username/email - default behavior where a
user provides both a username and email, and the
user can login with either. In this mode email has
to be unique.</div>
<div>* Username - a user can only login with a
username. In this mode we could relax the
requirement that email has to be unique (that may
be difficult though as it would require not using
a database constraint, which may make it rather
difficult to guarantee uniqueness in other modes)</div>
</div>
</blockquote>
</span> Even if we add the option, I wouldn't remove email
uniqueness. Admin can decide to change the mode back to
"Username" to "Email" and then some users won't be able to
login due to many users with same email. Also is there
usecase when there are 2 different users in realm with
same email?<span class=""><br>
<blockquote type="cite">
<div dir="ltr">
<div>* Email - in this mode only email can be used
to login. In this mode username field would not be
displayed on the registration form or account
management console. In the token the username
would be set to email. In this mode verify email
address should be enabled by default.</div>
<div>* Mobile - user logs in with a mobile number.
We can either just add mobile number to the
username field or add a new mobile field and
require uniqueness on that field. In this mode
verify mobile number should be enabled by default.</div>
</div>
</blockquote>
</span> For the "Mobile" support, isn't an option to
remove default username/password Authenticator and add new
Authenticator based on mobile number? Also registration
screen can be customized and account management as well.
Also user can already use protocol mapper to map
"mobile_number" attribute to "preferred_username" or
whatever he wants into access token.<br>
<br>
TBH advantages of introducing new option are bit unclear
to me. It looks like adding another complexity, which is
not needed as authentication with mobile can be done with
the SPIs we have now IMO.<br>
<br>
Marek<br>
<blockquote type="cite"><span class="">
<div dir="ltr">
<div><br>
</div>
<div>With regards to implementation I think it would
be easier to make the existing username/password
authenticator, registration form and account
management adopt to the mode rather than have
separate authenticators, etc.. for each mode.</div>
</div>
<br>
<fieldset></fieldset>
<br>
</span>
<pre>_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>