6:49 a.m.
Hi Marek,
Thanks a lot for your reply, we were trying to configure this with the Github provider,
which allows less customization in the mappers.
The username template mapper looks exactly like what we need, but we don't manage to
configure a generic OpenID connect Identity Provider to work with Github.
We get an error saying "could not decode access token response".
It seems that Github by default return something like this in the token URL
access_token=e72e16c7e42f292c6912e7710c838347ae178b4a&token_type=bearer
and the identity provider tries to parse it as a JWT.
Is it possible to configure github as a generic OpenID connect IDP?
Thanks,
Paolo
-----Original Message-----
From: Marek Posolda <mposolda(a)redhat.com>
Sent: Friday, June 14, 2019 18:01
To: Paolo Tedesco <Paolo.Tedesco(a)cern.ch>; stian(a)redhat.com
Cc: keycloak-dev(a)lists.jboss.org; Asier Aguado Corman <asier.aguado(a)cern.ch>; Hannah
Short <hannah.short(a)cern.ch>; Cristian Schuszter <cristian.schuszter(a)cern.ch>
Subject: Re: [keycloak-dev] Customizing usernames
I think that for this, you can use "Username Template" importer. It is the
IdentityProvider mapper. After creating Identity Provider, you can click to tab
"Mappers" and configure it here. Just a note that with this approach, you will
end with duplicated keycloak accounts for someone, who may be same person.
Another possibility is to tweak the "First Broker Login" flow and tweak
authenticators. For example automatically merge accounts without prompting (But this
option has some security implications, see docs for the details).
If you have some recommendations for the usability of the default dialog, feel free to
suggest here. But IMO having both the "automerging accounts" or "duplicated
accounts" is problematic and hence we have the option of asking users for merge
accounts OOTB.
Marek
Dne 14. 06. 19 v 8:33 Paolo Tedesco napsal(a):
Hi Stian,
We want to avoid that users are presented with the "account already exists"
dialogue and the option to merge accounts, because we think that it wouldn't always be
clear for users what is going on.
We managed to turn off the unique email validation, but then, for what we understood, we
need to have unique usernames.
Maybe we are just missing something, then how do we configure unique IDs (which are not
mail addresses) instead of usernames?
Thanks,
Paolo
From: Stian Thorgersen <sthorger(a)redhat.com>
Sent: Thursday, June 13, 2019 18:36
To: Paolo Tedesco <Paolo.Tedesco(a)cern.ch>
Cc: keycloak-dev(a)lists.jboss.org; Cristian Schuszter
<cristian.schuszter(a)cern.ch>; Asier Aguado Corman
<asier.aguado(a)cern.ch>; Hannah Short <hannah.short(a)cern.ch>
Subject: Re: [keycloak-dev] Customizing usernames
Could you explain your use-case a bit better? It seems to me that having a unique id as
we do for the users today is exactly what you want. We decided to use a unique id rather
than the username for exactly the reasons you mention.
On Thu, 13 Jun 2019 at 13:19, Paolo Tedesco
<Paolo.Tedesco@cern.ch<mailto:Paolo.Tedesco@cern.ch>> wrote:
Hi all,
I'm looking for a way to customize the unique identifiers used by Keycloak in its
internal user database, to avoid possible email or username clashes.
For example, I would like to be able to change the username of someone logging in through
github to "login@github.com<mailto:login@github.com>", so that if someone
has the same login in the CERN LDAP the user is not offered the possibility to merge the
accounts.
Our problems come from the fact that we allow people to change their mail addresses, and
also to use external non-CERN addresses as their email, so we cannot rely on email much.
We would also like to avoid people to merge accounts at all as we think this might be
confusing for users on some occasions, and generate support tickets for us.
Is there a supported way to do this, or would we need to code something ourselves?
If we need to code something, should we write a plugin of some kind (e.g. custom mappers)
or would we need to modify directly the code that manages the login from the identity
provider?
In case someone else requested something similar, we might make our development
available.
Thanks,
Paolo Tedesco
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev