Re: [keycloak-user] Prevent users from changing email address when email is used as username

Thank you for your quick response. Dear Mr. Lech, Disabling "Edit username" in "Realm Settings -> Login" will only hide the username input in the default theme, but not the email input. When email is updated by user, both email and username changes (due to setting of "Email as username") without any request for ownership verification (via mail). The input element for email can be hidden or removed by adding a custom theme with overridden template. But this is not a bulletproof solution, as the input can be easily added again by editing the HTML in browser's inspector. When a username is changed, user can log in with the new username and original password.Then he can log into an integrated application which takes him as a verified user, but the verification didn't happen. This is a security breach. Dear Mr. Silvert, Both enabled "Email as username" and disabled "Edit username" is really what we want. We don't want to force users to remember their usernames (yet another login detail) since email address is already useful and unique identifier. And any change of the email address (if it cannot be disabled) should be followed by a verification process. I've seen this setup at many other systems which don't use Keycloak, so I guess our design is not that special.

Kind regards, Ales Fuchs On Wed, 31 Jul 2019 at 20:07, Stan Silvert <ssilvert(a)redhat.com <mailto:ssilvert@redhat.com>> wrote: Are you sure that is what you want? Email addresses do change.  Is there some reason it should never be updated? On 7/31/2019 10:08 AM, Ales Fuchs wrote: > Hello, > > We are using Keycloak version 4.8.3 and in our setting we have the option > "Email as username" switched on and "Edit username" switched off. > > At the same time we need to let users to log in and change their name in > the account console. Once the name and surname is editable, email can be > changed too, which changes also the username. > > The input with email can be hidden, but whoever knows how Keycloak works > can simply add this input and update the username. > > Does anyone have any idea how updating of username can be prevented? > > Best regards, > Ales Fuchs > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user