Re: [keycloak-dev] Email/ username case-sensitivity issues

Marek: assigned https://issues.jboss.org/browse/KEYCLOAK-1544 to you as it's related to fix you've done ----- Original Message ----- > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > To: "Marek Posolda" <mposolda(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Monday, 20 July, 2015 6:42:49 AM > Subject: Re: [keycloak-dev] Email/ username case-sensitivity issues > > > > ----- Original Message ----- >> From: "Marek Posolda" <mposolda(a)redhat.com&gt; >> To: keycloak-dev(a)lists.jboss.org >> Sent: Friday, 17 July, 2015 7:37:58 PM >> Subject: [keycloak-dev] Email/ username case-sensitivity issues >> >> There are some case-sensitivity issues, which cause that sometimes you >> can add object with duplicated email/username into DB etc. Some details >> are at https://issues.jboss.org/browse/KEYCLOAK-1545 or >> https://issues.jboss.org/browse/KEYCLOAK-1551 . Those issues happened >> with LDAP, but generally issues are not LDAP specific - for example even >> without LDAP integration you can add user with email &quot;JOHN(a)keycloak.org&quot; >> and then &quot;john(a)keycloak.org&quot; . Second user is created successfully, >> which doesn't look correct to me. >> >> The solutions I can see is: >> 1) Ensure that username and email is always added lowercased into DB and >> then searched lowercased. We already fixed similar issues earlier, but >> not entirely . Right now, we are adding username lowercased and >> searching both username and email lowercased, but we are not adding >> email lowercased. I've sent PR when I am convert both username and email >> to lowercase in UserAdapter.setEmail and UserAdapter.setUserName - >> https://github.com/mposolda/keycloak/commit/66f16bf654fc22570ce9ef7b34c47... >> >> >> 2) Another approach can be to add usernames and emails case sensitively, >> but instead ensure that DB searching is case insensitive (lowercased). >> For JPA there is "lower" function in HQL, but I am not sure if it's >> supported for various databases (and I would really like to avoid DB >> specific failures TBH...;-) ). For Mongo there is possibility to >> search with regex to achieve case-insensitive search but it sucks due to >> performance- so in this case we may need to add separate columns >> username_lowercased and email_lowercased, which will be used for >> searching to ensure index is used... >> >> I like (1) much more and that's what I used in PR. Any objections >> against merging it? > +1 To (1) that's what we intended to do the first time around, but seem to > have forgotten email by mistake. We had the same discussion then about local > part being case sensitive back then as well ;) > >> Or is it bad to assume that email are case insensitive? Strictly said, >> the "local" part of email is supposed to be case sensitive, so >> &quot;JOHN(a)keycloak.org&quot; and &quot;john(a)keycloak.org&quot; are theoretically different >> emails. But in reality most organizations and mail servers treat them as >> same emails - including Google. Just checked that I can successfully >> login to Google with MPosOLDA(a)gmail.com . >> >> Marek >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >