Hi Stian, thank you for your answer. We already implemented login with phone number. For that we created a microservice that communicates with keykloak. The service does a ROPC with keykloak, so from keykloak perspective we DO NOT NEED support for login with phone number. Our only requirement was to extend the existing user profile by phone number, NOT to allow login via phone number. Greetings, Marco Von: Stian Thorgersen <sthorger(a)redhat.com&gt; Antworten an: &quot;stian(a)redhat.com&quot; <stian(a)redhat.com&gt; Datum: Donnerstag, 18. Oktober 2018 um 11:33 An: "Scheuermann, Marco (059)" <marco.scheuermann(a)daimler.com&gt; Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org&gt;, &quot;fabian.loewner(a)freiheit.com&quot; <fabian.loewner(a)freiheit.com&gt;, "Scollo, Carmelo (059)" <carmelo.scollo(a)daimler.com&gt;, "Herrmann, David Christian (059)" <david_christian.herrmann(a)daimler.com&gt;, "Schmitt, Lukas (059)" <lukas.schmitt(a)daimler.com&gt; Betreff: Re: [keycloak-dev] User Profile Extension Adding support for login with phone number isn't as trivial as simply adding another user attribute. The user storage spi also have implications here since it's a supported API we can't break backwards compatibility. To do this right we should discuss the correct approach. This would involve some configuration option for a realm to allow specifying what attributes can be used to authenticate the user. Some strategy for when there is more than one user with the same phone number. That could be unique, allowing user to select from users with the phone number, or simply returning an error stating username has to be used. Then there's indexing to consider. For the phone number to be useful for a login it has to be indexed in the db. Caches should be able to lookup user based on phone number. Finally, and this is something we have problems with for email today. For email we had a limitation that email had to be unique. One email per user basically. This doesn't really work all that well and we had a rather hacky approach to allowing multiple users with the same email address. To extend to phone numbers we would need to address this properly and not introduce additional problems. On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> wrote: Hi keykloak developers, my Name is Marco and I am currently working on a keykloak based usermanagement solution for our company and have the following requirement: We implemented a native One Time Password (OTP) login for our app. That means a user can login using email or mobile number. After that he gets a PIN via SMS/email which he can enter into the app to trigger the authentication flow. During login we check if the user already exists. If not we guide him to a registration page. This check is implemented by using keykloaks admin rest API. We search for a user by email. It must also be possible to search by phone number because this attribute could also be used for login as already mentioned. We added a custom attribute “mobile” to the user but the REST API does not allow to search for custom attributes. Our Requirement: The user should be able to use email OR phone number for login. For that it should be possible to enter both attributes while registering a new user. Currently keykloak only offers a custom field for email, but no phone number. Therefore we want to extend the User Profile by phone number. Would you accept such a Pull Request? Thank you, Marco If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. _______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

Thank you Stian, I understand your point. I will create a longer description of our requirement and why it has a benefit for the community. Is that ok for you? Thank you, Marco Von: Stian Thorgersen <sthorger(a)redhat.com&gt; Antworten an: &quot;stian(a)redhat.com&quot; <stian(a)redhat.com&gt; Datum: Freitag, 19. Oktober 2018 um 08:14 An: "Scheuermann, Marco (059)" <marco.scheuermann(a)daimler.com&gt; Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org&gt;, &quot;fabian.loewner(a)freiheit.com&quot; <fabian.loewner(a)freiheit.com&gt;, "Scollo, Carmelo (059)" <carmelo.scollo(a)daimler.com&gt;, "Herrmann, David Christian (059)" <david_christian.herrmann(a)daimler.com&gt;, "Schmitt, Lukas (059)" <lukas.schmitt(a)daimler.com&gt; Betreff: Re: [keycloak-dev] User Profile Extension I understand that you don't need it, but that's past the point. When adding new features and capabilities in Keycloak we need to consider the bigger picture and add things in a way that has wider use. We do not add solutions for one person. On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> wrote: Hi Stian, thank you for your answer. We already implemented login with phone number. For that we created a microservice that communicates with keykloak. The service does a ROPC with keykloak, so from keykloak perspective we DO NOT NEED support for login with phone number. Our only requirement was to extend the existing user profile by phone number, NOT to allow login via phone number. Greetings, Marco Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>> Antworten an: "stian@redhat.com<mailto:stian@redhat.com>" <stian@redhat.com<mailto:stian@redhat.com>> Datum: Donnerstag, 18. Oktober 2018 um 11:33 An: "Scheuermann, Marco (059)" <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> Cc: keycloak-dev <keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>>, "fabian.loewner@freiheit.com<mailto:fabian.loewner@freiheit.com>" <fabian.loewner@freiheit.com<mailto:fabian.loewner@freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo@daimler.com<mailto:carmelo.scollo@daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann@daimler.com<mailto:david_christian.herrmann@daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt@daimler.com<mailto:lukas.schmitt@daimler.com>> Betreff: Re: [keycloak-dev] User Profile Extension Adding support for login with phone number isn't as trivial as simply adding another user attribute. The user storage spi also have implications here since it's a supported API we can't break backwards compatibility. To do this right we should discuss the correct approach. This would involve some configuration option for a realm to allow specifying what attributes can be used to authenticate the user. Some strategy for when there is more than one user with the same phone number. That could be unique, allowing user to select from users with the phone number, or simply returning an error stating username has to be used. Then there's indexing to consider. For the phone number to be useful for a login it has to be indexed in the db. Caches should be able to lookup user based on phone number. Finally, and this is something we have problems with for email today. For email we had a limitation that email had to be unique. One email per user basically. This doesn't really work all that well and we had a rather hacky approach to allowing multiple users with the same email address. To extend to phone numbers we would need to address this properly and not introduce additional problems. On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> wrote: Hi keykloak developers, my Name is Marco and I am currently working on a keykloak based usermanagement solution for our company and have the following requirement: We implemented a native One Time Password (OTP) login for our app. That means a user can login using email or mobile number. After that he gets a PIN via SMS/email which he can enter into the app to trigger the authentication flow. During login we check if the user already exists. If not we guide him to a registration page. This check is implemented by using keykloaks admin rest API. We search for a user by email. It must also be possible to search by phone number because this attribute could also be used for login as already mentioned. We added a custom attribute “mobile” to the user but the REST API does not allow to search for custom attributes. Our Requirement: The user should be able to use email OR phone number for login. For that it should be possible to enter both attributes while registering a new user. Currently keykloak only offers a custom field for email, but no phone number. Therefore we want to extend the User Profile by phone number. Would you accept such a Pull Request? Thank you, Marco If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. _______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

Thats very good. Would you support a full implementation for passwordless login in keykloak? User has to enter email address, presses login and then he gets a One Time Password to login. If that`s fine for you, I would discuss with my colleagues if we create a PR. Ok? Marco Von: Stian Thorgersen <sthorger(a)redhat.com&gt; Antworten an: &quot;stian(a)redhat.com&quot; <stian(a)redhat.com&gt; Datum: Freitag, 19. Oktober 2018 um 08:26 An: "Scheuermann, Marco (059)" <marco.scheuermann(a)daimler.com&gt; Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org&gt;, &quot;fabian.loewner(a)freiheit.com&quot; <fabian.loewner(a)freiheit.com&gt;, "Scollo, Carmelo (059)" <carmelo.scollo(a)daimler.com&gt;, "Herrmann, David Christian (059)" <david_christian.herrmann(a)daimler.com&gt;, "Schmitt, Lukas (059)" <lukas.schmitt(a)daimler.com&gt; Betreff: Re: [keycloak-dev] User Profile Extension I'd rather you consider contributing a fully functional feature in Keycloak itself, rather than extracting most of it into a separate service and only contributing a part of the feature to the rest of the community. On Fri, 19 Oct 2018 at 08:21, <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> wrote: Thank you Stian, I understand your point. I will create a longer description of our requirement and why it has a benefit for the community. Is that ok for you? Thank you, Marco Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>> Antworten an: "stian@redhat.com<mailto:stian@redhat.com>" <stian@redhat.com<mailto:stian@redhat.com>> Datum: Freitag, 19. Oktober 2018 um 08:14 An: "Scheuermann, Marco (059)" <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> Cc: keycloak-dev <keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>>, "fabian.loewner@freiheit.com<mailto:fabian.loewner@freiheit.com>" <fabian.loewner@freiheit.com<mailto:fabian.loewner@freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo@daimler.com<mailto:carmelo.scollo@daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann@daimler.com<mailto:david_christian.herrmann@daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt@daimler.com<mailto:lukas.schmitt@daimler.com>> Betreff: Re: [keycloak-dev] User Profile Extension I understand that you don't need it, but that's past the point. When adding new features and capabilities in Keycloak we need to consider the bigger picture and add things in a way that has wider use. We do not add solutions for one person. On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> wrote: Hi Stian, thank you for your answer. We already implemented login with phone number. For that we created a microservice that communicates with keykloak. The service does a ROPC with keykloak, so from keykloak perspective we DO NOT NEED support for login with phone number. Our only requirement was to extend the existing user profile by phone number, NOT to allow login via phone number. Greetings, Marco Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>> Antworten an: "stian@redhat.com<mailto:stian@redhat.com>" <stian@redhat.com<mailto:stian@redhat.com>> Datum: Donnerstag, 18. Oktober 2018 um 11:33 An: "Scheuermann, Marco (059)" <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> Cc: keycloak-dev <keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>>, "fabian.loewner@freiheit.com<mailto:fabian.loewner@freiheit.com>" <fabian.loewner@freiheit.com<mailto:fabian.loewner@freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo@daimler.com<mailto:carmelo.scollo@daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann@daimler.com<mailto:david_christian.herrmann@daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt@daimler.com<mailto:lukas.schmitt@daimler.com>> Betreff: Re: [keycloak-dev] User Profile Extension Adding support for login with phone number isn't as trivial as simply adding another user attribute. The user storage spi also have implications here since it's a supported API we can't break backwards compatibility. To do this right we should discuss the correct approach. This would involve some configuration option for a realm to allow specifying what attributes can be used to authenticate the user. Some strategy for when there is more than one user with the same phone number. That could be unique, allowing user to select from users with the phone number, or simply returning an error stating username has to be used. Then there's indexing to consider. For the phone number to be useful for a login it has to be indexed in the db. Caches should be able to lookup user based on phone number. Finally, and this is something we have problems with for email today. For email we had a limitation that email had to be unique. One email per user basically. This doesn't really work all that well and we had a rather hacky approach to allowing multiple users with the same email address. To extend to phone numbers we would need to address this properly and not introduce additional problems. On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> wrote: Hi keykloak developers, my Name is Marco and I am currently working on a keykloak based usermanagement solution for our company and have the following requirement: We implemented a native One Time Password (OTP) login for our app. That means a user can login using email or mobile number. After that he gets a PIN via SMS/email which he can enter into the app to trigger the authentication flow. During login we check if the user already exists. If not we guide him to a registration page. This check is implemented by using keykloaks admin rest API. We search for a user by email. It must also be possible to search by phone number because this attribute could also be used for login as already mentioned. We added a custom attribute “mobile” to the user but the REST API does not allow to search for custom attributes. Our Requirement: The user should be able to use email OR phone number for login. For that it should be possible to enter both attributes while registering a new user. Currently keykloak only offers a custom field for email, but no phone number. Therefore we want to extend the User Profile by phone number. Would you accept such a Pull Request? Thank you, Marco If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. _______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

Right. SMS with OTP. Marco Von meinem iPhone gesendet Am 22.10.2018 um 09:00 schrieb Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>: We would be open to that. It would be great if you could start with describing it in more detail first though. It's pretty simple to implement something like that, but making it user friendly and a generic feature is more complicated. See https://github.com/stianst/keycloak-experimental/tree/master/magic-link for instance. It does passwordless, but it's not very nice for those setting up Keycloak or the end user. I presume you are talking about a SMS with the one time password? On Fri, 19 Oct 2018 at 08:29, <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> wrote: Thats very good. Would you support a full implementation for passwordless login in keykloak? User has to enter email address, presses login and then he gets a One Time Password to login. If that`s fine for you, I would discuss with my colleagues if we create a PR. Ok? Marco Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>> Antworten an: "stian@redhat.com<mailto:stian@redhat.com>" <stian@redhat.com<mailto:stian@redhat.com>> Datum: Freitag, 19. Oktober 2018 um 08:26 An: "Scheuermann, Marco (059)" <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> Cc: keycloak-dev <keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>>, "fabian.loewner@freiheit.com<mailto:fabian.loewner@freiheit.com>" <fabian.loewner@freiheit.com<mailto:fabian.loewner@freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo@daimler.com<mailto:carmelo.scollo@daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann@daimler.com<mailto:david_christian.herrmann@daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt@daimler.com<mailto:lukas.schmitt@daimler.com>> Betreff: Re: [keycloak-dev] User Profile Extension I'd rather you consider contributing a fully functional feature in Keycloak itself, rather than extracting most of it into a separate service and only contributing a part of the feature to the rest of the community. On Fri, 19 Oct 2018 at 08:21, <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> wrote: Thank you Stian, I understand your point. I will create a longer description of our requirement and why it has a benefit for the community. Is that ok for you? Thank you, Marco Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>> Antworten an: "stian@redhat.com<mailto:stian@redhat.com>" <stian@redhat.com<mailto:stian@redhat.com>> Datum: Freitag, 19. Oktober 2018 um 08:14 An: "Scheuermann, Marco (059)" <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> Cc: keycloak-dev <keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>>, "fabian.loewner@freiheit.com<mailto:fabian.loewner@freiheit.com>" <fabian.loewner@freiheit.com<mailto:fabian.loewner@freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo@daimler.com<mailto:carmelo.scollo@daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann@daimler.com<mailto:david_christian.herrmann@daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt@daimler.com<mailto:lukas.schmitt@daimler.com>> Betreff: Re: [keycloak-dev] User Profile Extension I understand that you don't need it, but that's past the point. When adding new features and capabilities in Keycloak we need to consider the bigger picture and add things in a way that has wider use. We do not add solutions for one person. On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> wrote: Hi Stian, thank you for your answer. We already implemented login with phone number. For that we created a microservice that communicates with keykloak. The service does a ROPC with keykloak, so from keykloak perspective we DO NOT NEED support for login with phone number. Our only requirement was to extend the existing user profile by phone number, NOT to allow login via phone number. Greetings, Marco Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>> Antworten an: "stian@redhat.com<mailto:stian@redhat.com>" <stian@redhat.com<mailto:stian@redhat.com>> Datum: Donnerstag, 18. Oktober 2018 um 11:33 An: "Scheuermann, Marco (059)" <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> Cc: keycloak-dev <keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>>, "fabian.loewner@freiheit.com<mailto:fabian.loewner@freiheit.com>" <fabian.loewner@freiheit.com<mailto:fabian.loewner@freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo@daimler.com<mailto:carmelo.scollo@daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann@daimler.com<mailto:david_christian.herrmann@daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt@daimler.com<mailto:lukas.schmitt@daimler.com>> Betreff: Re: [keycloak-dev] User Profile Extension Adding support for login with phone number isn't as trivial as simply adding another user attribute. The user storage spi also have implications here since it's a supported API we can't break backwards compatibility. To do this right we should discuss the correct approach. This would involve some configuration option for a realm to allow specifying what attributes can be used to authenticate the user. Some strategy for when there is more than one user with the same phone number. That could be unique, allowing user to select from users with the phone number, or simply returning an error stating username has to be used. Then there's indexing to consider. For the phone number to be useful for a login it has to be indexed in the db. Caches should be able to lookup user based on phone number. Finally, and this is something we have problems with for email today. For email we had a limitation that email had to be unique. One email per user basically. This doesn't really work all that well and we had a rather hacky approach to allowing multiple users with the same email address. To extend to phone numbers we would need to address this properly and not introduce additional problems. On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann@daimler.com<mailto:marco.scheuermann@daimler.com>> wrote: Hi keykloak developers, my Name is Marco and I am currently working on a keykloak based usermanagement solution for our company and have the following requirement: We implemented a native One Time Password (OTP) login for our app. That means a user can login using email or mobile number. After that he gets a PIN via SMS/email which he can enter into the app to trigger the authentication flow. During login we check if the user already exists. If not we guide him to a registration page. This check is implemented by using keykloaks admin rest API. We search for a user by email. It must also be possible to search by phone number because this attribute could also be used for login as already mentioned. We added a custom attribute “mobile” to the user but the REST API does not allow to search for custom attributes. Our Requirement: The user should be able to use email OR phone number for login. For that it should be possible to enter both attributes while registering a new user. Currently keykloak only offers a custom field for email, but no phone number. Therefore we want to extend the User Profile by phone number. Would you accept such a Pull Request? Thank you, Marco If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. _______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

Hi Lilian, that sounds really good. I`d like to review your implementation if it also fulfills our requirements. How could we proceed? Thx, Marco Am 23.10.18, 14:07 schrieb "Lilian BENOIT" <lilian.benoit(a)lbenoit.fr&gt;: Hi. For one project, i extended Keycloak for implement login with mobile number or email. I have implemented login, registration by mobile number. I used activation by code because a link is too long by SMS. But i could use a link reducer (internal or external) I developed a new SPI for send SMS (inspired by EmailSenderProvider). It's to permit to implement a specific solution with our SMS provider. Currently, i saved mobile number in a attribute but it's more elegant that using mobile number same email (for example, activate or not authentication by mobile) If there is a subject, i am interested to contribute. Best Regards. Lilian BENOIT. Le 2018-10-19 08:26, Stian Thorgersen a écrit : If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.