Hi again,
Thanks for the fast reply!
ons, 14 09 2016 kl. 09:24 +0200, skrev Stian Thorgersen:
We are planning to introduce support for contact email in the future. The current email
field is both a login and a contact email. As it's used for login it has to be
unique.
Do you have an approximate ETA for the contact email introduction?
You could probably work around it with custom mappers for your IdPs that map email to an
attribute rather than the user email field. Then create a custom email sender to use the
contact attribute from the user rather than email field.
While I can see that this would work, would this have any advantage over the
"custom-authenticator-that-deletes-existing-users-with-the-same-email" approach
I mentioned? In my view using the "delete" approach is easier/faster to
implement and would also requires fewer changes once the contact-email is introduced.
Best regards,
Tomas
[1]
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
On 14 September 2016 at 09:17, Tomas Groth Christensen
<tgc@dma.dk<mailto:tgc@dma.dk>> wrote:
Hi,
I'm involved in a project where we use Keycloak as Identity Broker, and
so far we've been very happy with Keycloak, and implemented a few SPIs
to do some special things, but now we've hit a snag...
In our setup we have many clients using the Identity Broker which then
again has many Identity Providers from which the user can chose one to
use for login.
Our problem is that the same user (using one email address) can exist
in 2 or more Identity Providers, and we do not want to link these
accounts. The reason for not linking the accounts is that the user can
be given special privileges in clients, based on which Identity
Provider the user comes from. These privileges should not be carried
over from one Identity Providers user to another since the same user
might be an administrator when coming the one Identity Provider and a
common user when coming from a different Identity Provider.
So, is it possible to allow multiple users to have the same email
address? Looking at the source code there are checks for duplicated
user-emails in most places where users are created... Could a solution
be to implement a custom authenticator that replaces
IdpCreateUserIfUniqueAuthenticator which does not check for duplicated
emails, or are there database constraints that will prohibit this?
An alternative solution could perhaps be a custom authenticator that
simply deletes existing users with the same email address?
I hope you can give me some pointer on how to proceed...
--
Best regards,
Tomas Groth Christensen
Softwaredeveloper
Danish Maritime Authority
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev