[keycloak-dev] User ids and usernames
stian at redhat.com
Thu Feb 6 09:48:07 EST 2014
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 6 February, 2014 2:15:41 PM
> Subject: Re: [keycloak-dev] User ids and usernames
> On 2/6/2014 5:02 AM, Stian Thorgersen wrote:
> > A user should have an id, username and email (what we have now). The id
> > should be generated by the server and should never change for a user. The
> > sub field in the token should use this id, not the username. Applications
> > that wants to store information associated with a specific user should
> > also use this id, not the username or email, as the id will never change.
> > That means it should be possible for a user to change his/her username.
> > Obviously a username has to be unique within a realm. We should then allow
> > a user to login with either their username or their password. When a user
> > is able to login with their username we can also remove the forgot
> > username option on the login form, and only have a forgot password option.
> > This would also help integration with social login as now we don't have to
> > try to create a sensible username for a user on social login. Instead we
> > create a generated id, and don't even set a username. A user can then set
> > the username they want through the account management (or on the update
> > profile action page if that option is enabled).
> > If there's no objections to this, I'd like to add these changes to alpha2.
> Ugh, this is just a nasty change. usernames will rarely, if ever,
> change and I don't like the idea that users can change their username.
> A principal name of "bill" is much more coherent than
Doesn't matter does it? It's just an identifier, if someone wants to know more about the user they should retrieve the user profile.
> I want to ping jboss.org guys and see if they allow changing or setting
> usernames for their social login or how they handle that scenario.
Some sites lets users change their username, others don't. Without using the id of a user in the token we can't support applications that do want to let users change their passwords
BTW Google, Twitter, Facebook and GitHub all have a ID on a user as well as a username/login name.
In the future I think we should support various scenarios to accommodate what users of keycloaks needs are:
* No username, users can only login with email
* Allow changing username
* Don't allow users to change username
> Bill Burke
> JBoss, a division of Red Hat
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev