<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/01/16 08:57, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAdc3uv9YZ4qEX4No9aK777tqs5U2AM7+dTj8_JtX+BVEw@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 11 January 2016 at 22:34, Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 08/01/16 13:05, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">It's to make it less likely that the
username is already in use. We could use email for
the username in those cases, but email is not
always available. In the past we didn't have a way
to allow the user to change the username if there
was a conflict and instead the first login would
just fail. With the introduction of first time
social flows we could improve on this.
<div><br>
</div>
<div>We could allow selecting the strategy to use.
Then allow the user to change if there's a
conflict. We already allow users to change email
if there's a conflict so can do the same for
username.</div>
</div>
</blockquote>
</span> We already detect conflicts in both email and
username. So user can either use different username or
link the account corresponding to existing username.
Also as Kamal mentioned, we already have the
IdentityProviderMapper, which allows to configure how is
username generated ( <span
style="background-color:rgb(228,228,255)">UsernameTemplateMapper
). We don't need any other strategy IMO as the mapper
is flexible enough.<br>
<br>
Maybe we can improve how is username generated if
mapper is not used? Currently the username is
generated based on algorithm like this:<br>
1) If there is IdentityProviderMapper which sets
username, it has priority<br>
2) Otherwise if realm.isRegistrationEmailAsUsername,
then email from social provider is used as username<br>
3) Otherwise if username from Identity provider is
set, we generate the keycloak username like "<IDP
alias>.<IDP username>" (For example
"facebook.mposolda" )<br>
4) Otherwise if username from identity provider is
null, we generate the keycloak username like </span><span
style="background-color:rgb(228,228,255)">"<IDP
alias>.<IDP ID>" (For example
"facebook.12345" )<br>
<br>
IMO the one thing, which can be improved is removing
the IDP prefix in step 3 and use just the username
"mposolda" . If there is conflict, it can be easily
resolved thanks to first broker login flow. I would
likely keep the IDP alias in step 4 as having just
username "12345" is a bit confusing IMO.<br>
<br>
WDYT?</span></div>
</blockquote>
<div><br>
</div>
<div>I didn't know that. Is the
UsernameTemplateMapper documented? <br>
</div>
</div>
</div>
</div>
</blockquote>
There is some generic info about broker mappers in identity broker
chapter in 10.8 and 10.9 :
<a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#d4e2135">http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#d4e2135</a>
. Besides that there are tooltips in admin console on details how to
use various template tokens to generate username.<br>
<blockquote
cite="mid:CAJgngAdc3uv9YZ4qEX4No9aK777tqs5U2AM7+dTj8_JtX+BVEw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>I agree the only thing we need to do is in step 34
remove the "<IDP alias>" prefix.</div>
</div>
</div>
</div>
</blockquote>
Created <a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2292">https://issues.jboss.org/browse/KEYCLOAK-2292</a> for 1.9<br>
<br>
Marek<br>
<blockquote
cite="mid:CAJgngAdc3uv9YZ4qEX4No9aK777tqs5U2AM7+dTj8_JtX+BVEw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span
style="background-color:rgb(228,228,255)"><span
class=""><font color="#888888"><br>
Marek<br>
</font></span></span><span class="">
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 8 January 2016 at
12:32, Thomas Raehalme <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:thomas.raehalme@aitiofinland.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:thomas.raehalme@aitiofinland.com">thomas.raehalme@aitiofinland.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">Hi,
<div><br>
</div>
<div>If I login to Keycloak using a
federated identity such as Google,
Keycloak inserts a prefix "google." to my
username. </div>
<div><br>
</div>
<div>Maybe I'm missing something, but isn't
this kind of unnecessary when the email
address is already a unique property?</div>
<div><br>
</div>
<div>Best regards,</div>
<div>Thomas</div>
</div>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</span></div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>