<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 15/02/16 05:51, Fabricio Milone
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAOjtoUMHmKPULdcFPrfMP6TZvyOZThS43Zd5R-uMno8jCtXLmQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi,
        <div><br>
        </div>
        <div>I've been trying to solve an issue with my Federator for a
          few days now when I import users that don't exist in Keycloak
          (but they do exist in my Federator DB). </div>
        <div><br>
        </div>
        <div>I'm getting a duplicated value constraint violation error
          on email_constraint attribute from user_entity table. So I
          looked into the source code and found that the emailConstraint
          attribute is being set to the email value when I'm calling
          UserEntity.setEmail(String email).</div>
        <div><br>
        </div>
        <div>
          <pre style="color:rgb(169,183,198);font-family:Menlo;font-size:9pt;background-color:rgb(43,43,43)"><span style="color:rgb(204,120,50)">public void </span><span style="color:rgb(255,198,109)">setEmail</span>(String email) {
    <span style="color:rgb(204,120,50)">this</span>.<span style="color:rgb(152,118,170)">email </span>= email<span style="color:rgb(204,120,50)">;
</span><span style="color:rgb(204,120,50)">    this</span>.<span style="color:rgb(152,118,170)">emailConstraint </span>= email != <span style="color:rgb(204,120,50)">null </span>? email : KeycloakModelUtils.<span style="font-style:italic">generateId</span>()<span style="color:rgb(204,120,50)">;
</span>}</pre>
        </div>
        <div><br>
        </div>
        <div>Also I saw this comment in UserEntity.java:64:</div>
        <div>
          <pre style="color:rgb(169,183,198);font-family:Menlo;font-size:9pt;background-color:rgb(43,43,43)"><span style="color:rgb(128,128,128)">// Hack just to workaround the fact that on MS-SQL you can't have unique constraint with multiple NULL values </span><span style="color:rgb(168,192,35);font-style:italic">TODO: Find better solution (like unique index with 'where' but that's proprietary)
</span><span style="color:rgb(187,181,41)">@Column</span>(<span style="color:rgb(208,208,255)">name </span>= <span style="color:rgb(106,135,89)">"EMAIL_CONSTRAINT"</span>)
<span style="color:rgb(204,120,50)">protected </span>String <span style="color:rgb(152,118,170)">emailConstraint </span>= KeycloakModelUtils.<span style="font-style:italic">generateId</span>()<span style="color:rgb(204,120,50)">;</span></pre>
        </div>
        <div><br>
        </div>
        <div>My system allows duplicated email addresses and that cannot
          change.</div>
        <div><br>
        </div>
        <div>Is there any way to allow duplicated email addresses on
          Keycloak? </div>
        <div>Are you planning on an improvement to add support for a
          configurable unique key for users?</div>
        <div>What would be the best way to get rid of that constraint?</div>
      </div>
    </blockquote>
    Depends on if you want to use some Keycloak features, which rely on
    sending emails to users (ie. Forget password).<br>
    <br>
    1) If not, then you have full control in your UserFederationProvider
    and you can skip official "email" attribute and use some completely
    different attribute. Like instead of:<br>
    <br>
    keycloakUser.setEmail(emailFromYourFederatorDB);<br>
    <br>
    you use:<br>
    <br>
    keycloakUser.setSingleAttribute("custom-email",
    emailFromYourFederatorDB);<br>
    <br>
    You can also create protocolMappers for your clients to ensure that
    emails from attribute "custom-email" are used in access tokens, so
    your applications will properly see the user's emails in attribute
    "email" inside access token.<br>
    <br>
    <br>
    2) If yes, I suggest to rely on default keycloak user "email"
    attribute, but change your DB to not allow duplicate emails. Having
    multiple accounts with same email is broken architecture IMO. Among
    other issues, there can be security flaws like:<br>
    - user1 clicks on "Forget password" link<br>
    - user2 (who has same email like user1) will read the email sent by
    Keycloak from user1. He clicks on the link and resets password of
    user1<br>
    - user2 is able to login as user1<br>
    <br>
    Marek<br>
    <blockquote
cite="mid:CAOjtoUMHmKPULdcFPrfMP6TZvyOZThS43Zd5R-uMno8jCtXLmQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div><br>
        </div>
        <div>As a reference, I'm using Keycloak 1.7.0 and Informix as a
          DB.</div>
        <div><br>
        </div>
        <div>Any help would be appreciated.</div>
        <div><br>
        </div>
        <div>Thanks in advance.</div>
        <div><br>
        </div>
        <div>Regards,</div>
        <div>Fab</div>
        <div><br>
        </div>
        <div>
          <div><br>
          </div>
          -- <br>
          <div class="gmail_signature">
            <div dir="ltr">
              <div><span
                  style="font-size:12.8px;font-family:Verdana,Arial,Helvetica,sans-serif"><b><font
                      color="#000000">Fabricio Milone</font></b></span></div>
              <div><span
                  style="font-size:12.8px;font-family:Verdana,Arial,Helvetica,sans-serif"><font
                    color="#000000">Developer</font></span></div>
              <span
                style="font-size:12.8px;font-family:Verdana,Arial,Helvetica,sans-serif"><b><font
                    color="#009900">
                    <div><span
                        style="font-size:12.8px;font-family:Verdana,Arial,Helvetica,sans-serif"><b><font
                            color="#009900"><br>
                          </font></b></span></div>
                    Shine Consulting </font></b></span><span
                style="font-size:12.8px;font-family:Verdana,Arial,Helvetica,sans-serif">
                <p
                  style="font-size:13.3px;color:rgb(0,153,0);margin:0pt"><span
                    style="color:rgb(0,0,0)">30/600 Bourke Street</span></p>
                <p
                  style="font-size:13.3px;color:rgb(0,153,0);margin:0pt"><span
                    style="color:rgb(0,0,0)">Melbourne VIC 3000</span></p>
                <p
                  style="font-size:13.3px;color:rgb(0,153,0);margin:0pt"><span
                    style="color:rgb(0,0,0)">T: 03 8488 9939</span></p>
                <p
                  style="font-size:13.3px;color:rgb(0,153,0);margin:0pt"><span
                    style="color:rgb(0,0,0)">M: 04 3200 4006</span></p>
                <p
                  style="font-size:13.3px;color:rgb(0,153,0);margin:0pt"><span
                    style="color:rgb(0,0,0)"><br>
                  </span></p>
              </span><span
                style="font-size:13.3px;font-family:Verdana,Arial,Helvetica,sans-serif"><span
                  style="font-size:13.3px">
                  <p style="margin:0pt"><a moz-do-not-send="true"
                      href="http://www.shinetech.com/"
                      style="color:rgb(51,51,51)" target="_blank">www.shinetech.com</a><font
                      color="#333333">  </font><i
                      style="color:rgb(51,51,51)"><b>a</b></i><font
                      color="#333333"> passion for excellence</font></p>
                </span></span></div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
    </blockquote>
    <br>
  </body>
</html>