11:42 p.m.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 17 July, 2015 7:37:58 PM
Subject: [keycloak-dev] Email/ username case-sensitivity issues
There are some case-sensitivity issues, which cause that sometimes you
can add object with duplicated email/username into DB etc. Some details
are at https://issues.jboss.org/browse/KEYCLOAK-1545 or
https://issues.jboss.org/browse/KEYCLOAK-1551 . Those issues happened
with LDAP, but generally issues are not LDAP specific - for example even
without LDAP integration you can add user with email "JOHN(a)keycloak.org"
and then "john(a)keycloak.org" . Second user is created successfully,
which doesn't look correct to me.
The solutions I can see is:
1) Ensure that username and email is always added lowercased into DB and
then searched lowercased. We already fixed similar issues earlier, but
not entirely . Right now, we are adding username lowercased and
searching both username and email lowercased, but we are not adding
email lowercased. I've sent PR when I am convert both username and email
to lowercase in UserAdapter.setEmail and UserAdapter.setUserName -
https://github.com/mposolda/keycloak/commit/66f16bf654fc22570ce9ef7b34c47...
2) Another approach can be to add usernames and emails case sensitively,
but instead ensure that DB searching is case insensitive (lowercased).
For JPA there is "lower" function in HQL, but I am not sure if it's
supported for various databases (and I would really like to avoid DB
specific failures TBH...;-) ). For Mongo there is possibility to
search with regex to achieve case-insensitive search but it sucks due to
performance- so in this case we may need to add separate columns
username_lowercased and email_lowercased, which will be used for
searching to ensure index is used...
I like (1) much more and that's what I used in PR. Any objections
against merging it?
+1 To (1) that's what we intended to do the first time around, but seem to have
forgotten email by mistake. We had the same discussion then about local part being case
sensitive back then as well ;)
Or is it bad to assume that email are case insensitive? Strictly said,
the "local" part of email is supposed to be case sensitive, so
"JOHN(a)keycloak.org" and "john(a)keycloak.org" are theoretically
different
emails. But in reality most organizations and mail servers treat them as
same emails - including Google. Just checked that I can successfully
login to Google with MPosOLDA(a)gmail.com .
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev