[keycloak-dev] Custom attributes for roles

Hi everybody, For compliance reasons, I have to store for each role, who is responsible for managing this role. Keycloak has the nice feature of supporting custom attributes for users and groups. I think supporting my requirement would be best done by also having custom attributes per role (that could for example also be mapped from an LDAP). Do you think custom role attributes would be a valuable addition and could make it upstream? Best regards, Sebastian Mit freundlichen Grüßen / Best regards Dr.-Ing. Sebastian Schuster Engineering and Support (INST/ESY1) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn -----Original Message----- From: keycloak-dev-bounces(a)lists.jboss.org [mailto:keycloak-dev-bounces@lists.jboss.org] On Behalf Of Stian Thorgersen Sent: Freitag, 10. November 2017 07:14 To: keycloak-dev <keycloak-dev(a)lists.jboss.org&gt; Subject: [keycloak-dev] Can't login with email as username if another user has same email If user#1 has the username &#39;user(a)host.com&#39; with no email, and user#2 has the email &#39;user(a)host.com&#39;, user#1 would not be able to login. In this case user#1 would have to contact the admin who would have to change the username or add an email. This issue was reported a while back by our QE [1], but AFAIK no actual users have run into this problem and it seems unlikely that it'll be a real problem. I'm leaning towards just closing this issue as won't fix. Best ideas I have for solving is: 1. Make sure username can't match email of another user. Not sure how we could do this as I'm pretty sure that couldn't be done with SQL. 2. Add a code check for for the above. It won't be guaranteed, but maybe good enough? 3. Add option to set if realm should allow login by "Username and email", "Username only" or "Email only". For the "Username and email" option we should document the fact that this issue can happen and that email always wins. [1] https://issues.jboss.org/browse/KEYCLOAK-4466 _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev