<div dir="ltr">Stian, would we be able to collaborate on removing the uniqueness of email a bit further? We have non-unique emails for a very large number of accounts and can't use keycloak in its current form. In our case username is unique but email is not and never will be. From what I can see following use cases would need consideration making email non-unique.<div><br></div><div>- login (username or email) , in case of email non-uniqueness accepting email as login will need to be disabled</div><div>- forget username, in this case one would not be able to recover a username if email can be present in multiple accounts </div><div>- forget password, accepting email as login will need to be disabled</div><div><br></div><div>Are there any other use cases that could be impacted?</div><div><br></div><div>Thanks Niels</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 12, 2016 at 5:16 PM, Guus der Kinderen <span dir="ltr"><<a href="mailto:guus.der.kinderen@gmail.com" target="_blank">guus.der.kinderen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Yes, that makes sense.<div><br></div><div>In the way I use the admin client, I created a challenge in my application. Every time someone logs in, I simply check delegate that attempt to Keycloak. I won't know if the user was deleted and recreated in the mean time. Pretty likely, the credentials will have changed, but that's not a good indicator to determine if the user attributes that I store in my app should be purged.</div><div><br></div><div>For now, all user management will be done in my app (propagating all changes to Keycloak), but at some point, this is going to hurt me...</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 12 April 2016 at 09:04, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">BTW this is main reason token subject is User ID not username, to guarantee uniqueness over time.</div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On 12 April 2016 at 09:03, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span>On 12 April 2016 at 08:58, Guus der Kinderen <span dir="ltr"><<a href="mailto:guus.der.kinderen@gmail.com" target="_blank">guus.der.kinderen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hmm... that rename route is disabled by default though?</div></blockquote><div><br></div></span><div>Yes</div><span><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>Also, when deleting a user, are we guaranteed that all user artifacts are removed? I'd hate to see another user (years later) have access to things simply because he picked a previously used name. Then again, most artifacts (if not all) will probably be linked through the ID, not username.</div></div></blockquote><div><br></div></span><div>Everything in Keycloak is linked through ID, not username. Obviously you may use username in your app rather than ID, in which case that may be a problem in your app. In that case you should probably disable a decommissioned user rather than disable or change your app.</div><div><div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div class="gmail_extra"><br><div class="gmail_quote">On 12 April 2016 at 06:32, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">There's an option to enable users to change their username. Enabling that could result in a user renaming the username, then another user taking the same username. There's also the situation where a user with a specific username is deleted, then another user is created with the same username (maybe years after).</div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On 12 April 2016 at 01:31, Guus der Kinderen <span dir="ltr"><<a href="mailto:guus.der.kinderen@gmail.com" target="_blank">guus.der.kinderen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks for the feedback, Niels,<div><br></div><div>I am primarily concerned about the email address, but as another attribute than the username is used to identify things, I thought I'd make sure and include that in the question too.</div><div><br></div><div>At some point, my customer will probably want non-unique email addresses. It's good to know it's at least on the roadmap.</div><div><br></div><div>Regards,</div><div><br></div><div> Guus</div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On 12 April 2016 at 00:50, Niels Bertram <span dir="ltr"><<a href="mailto:nielsbne@gmail.com" target="_blank">nielsbne@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Guus,<div><br></div><div>I can't see how you could manage non-uniqueness of the username as you will need at least one user side unique identifier to drive forget password flow. But the option to have email non-unique has been discussed a while back in the user forum and there is this open Jira <a href="https://issues.jboss.org/browse/KEYCLOAK-2141" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2141</a>.</div><div><br></div><div>We have been looking at non-unique emails and essentially one will have to remove the functionality of using email as a form of login from the login flow leaving the user to only be able to use their assigned or selected username as option. We have been trying to "hack" the codebase a bit but have not been too successful in getting keycloak to work properly with non-unique emails :( ...</div><div><br></div><div>Cheers,</div><div>Niels</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Tue, Apr 12, 2016 at 3:08 AM, Guus der Kinderen <span dir="ltr"><<a href="mailto:guus.der.kinderen@gmail.com" target="_blank">guus.der.kinderen@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">Hello,<div><br></div><div>Keycloak uses a UUID value to identify a uses. Basic questions: through some form of configuration:</div><div><ul><li>Can more than two users exist that have an identical username?<br></li><li>Can more than two users exist that have an identical email address? <br></li></ul><div>Regards,</div></div><div><br></div><div> Guus</div></div>
<br></div></div>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</blockquote></div><br></div></div></div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div></div></div><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>