On 26 November 2015 at 12:18, Sebastian Olscher <
sebastian.olscher(a)traveltainment.de> wrote:
Unfortunately this would also not solve the original issue: we are
handling these accounts like all other accounts and using standard Keycloak
features which all bases on the email address. Would it be a smaller effort
to handle this check on software level? You can configure the uniqueness of
the email address in each realm, check this on software level and delete
the unique index in the database. Would that be manageable?
We can't guarantee that a email is unique without a constraint, as
otherwise there's always a window where duplicates could be added. We can't
remove the constraint either as the constraint applies to all realms, but
further we can't change the db schema based on configuration options on a
realm.
We would need to have a separate field in the db for non-unique email
addresses. That's not really a big problem I think, but it would still be a
fair bit of work to implement. We'd also need to have an option on a realm
on what attribute to use as username, options should be username/email,
username or email.
You can add a feature request, but ATM we're stretched rather thin so it
would be a while until we could implement it. Unless you are willing to
contribute it though? If you are then we should discuss how it should be
done, and also need to double check if there's any problems in adding it.
“Email address unique or not?” – I have found a similar discussion and a
recommendation in the OpenId-Connect-Spezification:
“Therefore, the only guaranteed unique identifier for a given End-User is
the combination of the iss Claim and the sub Claim.
All other Claims carry no such guarantees across different issuers in
terms of stability over time or uniqueness across users, and Issuers are
permitted to apply local restrictions and policies. For instance, an Issuer
MAY re-use an email Claim Value across different End-Users at different
points in time, and the claimed email address for a given End-User MAY
change over time. Therefore, other Claims such as email, phone_number,
and preferred_username and MUST NOT be used as unique identifiers for the
End-User. “ [OpenId-Connect Core Spzification 1.0 – 5.7 Calim
Stability and Uniqueness]
So, at this point, we have a local restriction of Keycloak which says that
the email claim has to be unique. This is absolutely compliant but as the
example exactly describes the email case, I think others were also dealing
with this topic. Because of this, the spezification recommends to make the
email address not unique. What do you think, would that be an option for a
new feature?
*From:* Stian Thorgersen [mailto:sthorger@redhat.com]
*Sent:* Thursday, November 26, 2015 8:58 AM
*To:* Sebastian Olscher
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Email is unique within one realm
I meant that you'd use the attribute option only for the "server accounts"
where it's not the email of the user, but a contact email. For regular
users you'd continue using the email field. Would that work? You can even
write a custom protocol mapper that takes either and adds it to the same
claim in the token.
The email field has a unique constraint in the database and that's not
something we can enable/disable with a realm option. I think we'd have to
add an additional field or store the email as an attribute. Could be a bit
messy and quite a bit of work to do.
On 26 November 2015 at 08:29, Sebastian Olscher <
sebastian.olscher(a)traveltainment.de> wrote:
Unfortunately this is not easily possible because we want to use
out-of-the-box features such as „update profile email”, „reset password
email” and others, where Keycloak uses the email address of the account.
As I understood the reason why the email address was designed as unique is
that it could be also used as the username. Would it be possible to
implement this as a feature within the realm config? You can configure if
you want to allow the usage of the email address as the username. If not,
the email address has not to be unique. For us, this would make totally
sense and helps us to fulfill the requirement. Would that be possible if
there are no other preventing side effects?
*From:* Stian Thorgersen [mailto:sthorger@redhat.com]
*Sent:* Wednesday, November 25, 2015 8:31 PM
*To:* Sebastian Olscher
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Email is unique within one realm
In that case could you just set the contact email address as an attribute
instead? The email field has to be unique has it can be in place of
username. You could even use protocol mappers to map either email or the
attribute to the same claim in the token.
On 25 November 2015 at 15:57, Sebastian Olscher <
sebastian.olscher(a)traveltainment.de> wrote:
This receives importance if we are talking about users which will be used
by a system and not a human person. These users may have the same
responsible contact person as there is a system using this account and no
real human. The contact person is identified by the email address. Our own
specific information will be designed as user attributes.
For example:
Username: sys_customer1
Email address: sebastian.olscher(a)traveltainment.de (Email address of the
contact person who is responsible for this user)
User attribute: Key=customer, Value=customer1
Username: sys_customer2
Email address: sebastian.olscher(a)traveltainment.de (Email address of the
contact person who is responsible for this user)
User attribute: Key=customer, Value=customer2
*From:* Stian Thorgersen [mailto:sthorger@redhat.com]
*Sent:* Wednesday, November 25, 2015 3:04 PM
*To:* Sebastian Olscher
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Email is unique within one realm
That's not possible at the moment. Out of curiosity why would you have two
different accounts for the same person?
On 25 November 2015 at 15:01, Sebastian Olscher <
sebastian.olscher(a)traveltainment.de> wrote:
Hello,
the email address is unique within one realm. Is there a possibility to
fulfill the requirement to have different user (different usernames) for
different applications within one realm which were managed and used by the
same person/entity?
For example:
Username: I_Am_An_Admin
Email: user(a)traveltainment.de
(gets roles for every client within the realm)
Username: I_Am_A_Normal_User
Email: user(a)traveltainment.de
(get roles from only one client within the realm)
Is this unambiguity of the email address configurable?
Thanks,
Sebastian
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user