I agree mobile can be done with a separate authenticator, it's probably not
that much additional work to add either. However, that doesn't change the
account management console, registration screens, etc.. So there's more
work than that + quite a lot of configuration needed to use mobile instead
of email/username.
It would be nice to have a configurable option on the username/email
authenticator to support only email though. I think we may have this
already but it's a realm option rather than a configuration option on the
authenticator. Same arguments here, if someone just wants to use email, the
username shouldn't be displayed on login, registration and account
management.
On 7 October 2015 at 14:28, Marek Posolda <mposolda(a)redhat.com> wrote:
On 06/10/15 09:50, Stian Thorgersen wrote:
We've have someone from the community that wants to use mobile number as
the username, as well as verify mobile number by sending a code via SMS.
See "Login by mobile number" thread in user mailing list for more details.
They are also willing to contribute this back to the community.
That made me think it may be nice to be able to configure the behavior of
the username "field" for a realm. We could have a simple drop-down in the
admin console to configure username mode, with the following options:
* Username/email - default behavior where a user provides both a username
and email, and the user can login with either. In this mode email has to be
unique.
* Username - a user can only login with a username. In this mode we could
relax the requirement that email has to be unique (that may be difficult
though as it would require not using a database constraint, which may make
it rather difficult to guarantee uniqueness in other modes)
Even if we add the option, I wouldn't remove email uniqueness. Admin can
decide to change the mode back to "Username" to "Email" and then some
users
won't be able to login due to many users with same email. Also is there
usecase when there are 2 different users in realm with same email?
* Email - in this mode only email can be used to login. In this mode
username field would not be displayed on the registration form or account
management console. In the token the username would be set to email. In
this mode verify email address should be enabled by default.
* Mobile - user logs in with a mobile number. We can either just add
mobile number to the username field or add a new mobile field and require
uniqueness on that field. In this mode verify mobile number should be
enabled by default.
For the "Mobile" support, isn't an option to remove default
username/password Authenticator and add new Authenticator based on mobile
number? Also registration screen can be customized and account management
as well. Also user can already use protocol mapper to map "mobile_number"
attribute to "preferred_username" or whatever he wants into access token.
TBH advantages of introducing new option are bit unclear to me. It looks
like adding another complexity, which is not needed as authentication with
mobile can be done with the SPIs we have now IMO.
Marek
With regards to implementation I think it would be easier to make the
existing username/password authenticator, registration form and account
management adopt to the mode rather than have separate authenticators,
etc.. for each mode.
_______________________________________________
keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev