From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Marek Posolda" <mposolda(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, 20 July, 2015 6:42:49 AM
Subject: Re: [keycloak-dev] Email/ username case-sensitivity issues
----- Original Message -----
> From: "Marek Posolda" <mposolda(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 17 July, 2015 7:37:58 PM
> Subject: [keycloak-dev] Email/ username case-sensitivity issues
>
> There are some case-sensitivity issues, which cause that sometimes you
> can add object with duplicated email/username into DB etc. Some details
> are at
https://issues.jboss.org/browse/KEYCLOAK-1545 or
>
https://issues.jboss.org/browse/KEYCLOAK-1551 . Those issues happened
> with LDAP, but generally issues are not LDAP specific - for example even
> without LDAP integration you can add user with email "JOHN(a)keycloak.org"
> and then "john(a)keycloak.org" . Second user is created successfully,
> which doesn't look correct to me.
>
> The solutions I can see is:
> 1) Ensure that username and email is always added lowercased into DB and
> then searched lowercased. We already fixed similar issues earlier, but
> not entirely . Right now, we are adding username lowercased and
> searching both username and email lowercased, but we are not adding
> email lowercased. I've sent PR when I am convert both username and email
> to lowercase in UserAdapter.setEmail and UserAdapter.setUserName -
>
https://github.com/mposolda/keycloak/commit/66f16bf654fc22570ce9ef7b34c47...
>
>
> 2) Another approach can be to add usernames and emails case sensitively,
> but instead ensure that DB searching is case insensitive (lowercased).
> For JPA there is "lower" function in HQL, but I am not sure if it's
> supported for various databases (and I would really like to avoid DB
> specific failures TBH...;-) ). For Mongo there is possibility to
> search with regex to achieve case-insensitive search but it sucks due to
> performance- so in this case we may need to add separate columns
> username_lowercased and email_lowercased, which will be used for
> searching to ensure index is used...
>
> I like (1) much more and that's what I used in PR. Any objections
> against merging it?
+1 To (1) that's what we intended to do the first time around, but seem to
have forgotten email by mistake. We had the same discussion then about local
part being case sensitive back then as well ;)
>
> Or is it bad to assume that email are case insensitive? Strictly said,
> the "local" part of email is supposed to be case sensitive, so
> "JOHN(a)keycloak.org" and "john(a)keycloak.org" are theoretically
different
> emails. But in reality most organizations and mail servers treat them as
> same emails - including Google. Just checked that I can successfully
> login to Google with MPosOLDA(a)gmail.com .
>
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev