[keycloak-dev] User ids and usernames

Stian Thorgersen stian at redhat.com
Thu Feb 6 09:48:07 EST 2014

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 6 February, 2014 2:15:41 PM
> Subject: Re: [keycloak-dev] User ids and usernames
> On 2/6/2014 5:02 AM, Stian Thorgersen wrote:
> > A user should have an id, username and email (what we have now). The id
> > should be generated by the server and should never change for a user. The
> > sub field in the token should use this id, not the username. Applications
> > that wants to store information associated with a specific user should
> > also use this id, not the username or email, as the id will never change.
> >
> > That means it should be possible for a user to change his/her username.
> > Obviously a username has to be unique within a realm. We should then allow
> > a user to login with either their username or their password. When a user
> > is able to login with their username we can also remove the forgot
> > username option on the login form, and only have a forgot password option.
> >
> > This would also help integration with social login as now we don't have to
> > try to create a sensible username for a user on social login. Instead we
> > create a generated id, and don't even set a username. A user can then set
> > the username they want through the account management (or on the update
> > profile action page if that option is enabled).
> >
> > If there's no objections to this, I'd like to add these changes to alpha2.
> Ugh, this is just a nasty change.  usernames will rarely, if ever,
> change and I don't like the idea that users can change their username.
> A principal name of "bill" is much more coherent than
> "2341235234234-234123-234123-2341234".

Doesn't matter does it? It's just an identifier, if someone wants to know more about the user they should retrieve the user profile.

> I want to ping jboss.org guys and see if they allow changing or setting
> usernames for their social login or how they handle that scenario.

Some sites lets users change their username, others don't. Without using the id of a user in the token we can't support applications that do want to let users change their passwords

BTW Google, Twitter, Facebook and GitHub all have a ID on a user as well as a username/login name.

In the future I think we should support various scenarios to accommodate what users of keycloaks needs are:

* No username, users can only login with email
* Allow changing username
* Don't allow users to change username

> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list