[keycloak-dev] Email/ username case-sensitivity issues

Marek Posolda mposolda at redhat.com
Fri Jul 17 13:37:58 EDT 2015

There are some case-sensitivity issues, which cause that sometimes you 
can add object with duplicated email/username into DB etc. Some details 
are at https://issues.jboss.org/browse/KEYCLOAK-1545 or 
https://issues.jboss.org/browse/KEYCLOAK-1551 . Those issues happened 
with LDAP, but generally issues are not LDAP specific - for example even 
without LDAP integration you can add user with email "JOHN at keycloak.org" 
and then "john at keycloak.org" . Second user is created successfully, 
which doesn't look correct to me.

The solutions I can see is:
1) Ensure that username and email is always added lowercased into DB and 
then searched lowercased. We already fixed similar issues earlier, but 
not entirely . Right now, we are adding username lowercased and 
searching both username and email lowercased, but we are not adding 
email lowercased. I've sent PR when I am convert both username and email 
to lowercase in UserAdapter.setEmail and UserAdapter.setUserName - 

2) Another approach can be to add usernames and emails case sensitively, 
but instead ensure that DB searching is case insensitive (lowercased). 
For JPA there is "lower" function in HQL, but I am not sure if it's 
supported for various databases (and I would really like to avoid DB 
specific failures TBH...;-)   ).  For Mongo there is possibility to 
search with regex to achieve case-insensitive search but it sucks due to 
performance- so in this case we may need to add separate columns 
username_lowercased and email_lowercased, which will be used for 
searching to ensure index is used...

I like (1) much more and that's what I used in PR. Any objections 
against merging it?

Or is it bad to assume that email are case insensitive? Strictly said, 
the "local" part of email is supposed to be case sensitive, so 
"JOHN at keycloak.org" and "john at keycloak.org" are theoretically different 
emails. But in reality most organizations and mail servers treat them as 
same emails - including Google. Just checked that I can successfully 
login to Google with MPosOLDA at gmail.com .


More information about the keycloak-dev mailing list