[keycloak-dev] Email/ username case-sensitivity issues
Marek Posolda
mposolda at redhat.com
Fri Jul 17 13:37:58 EDT 2015
There are some case-sensitivity issues, which cause that sometimes you
can add object with duplicated email/username into DB etc. Some details
are at https://issues.jboss.org/browse/KEYCLOAK-1545 or
https://issues.jboss.org/browse/KEYCLOAK-1551 . Those issues happened
with LDAP, but generally issues are not LDAP specific - for example even
without LDAP integration you can add user with email "JOHN at keycloak.org"
and then "john at keycloak.org" . Second user is created successfully,
which doesn't look correct to me.
The solutions I can see is:
1) Ensure that username and email is always added lowercased into DB and
then searched lowercased. We already fixed similar issues earlier, but
not entirely . Right now, we are adding username lowercased and
searching both username and email lowercased, but we are not adding
email lowercased. I've sent PR when I am convert both username and email
to lowercase in UserAdapter.setEmail and UserAdapter.setUserName -
https://github.com/mposolda/keycloak/commit/66f16bf654fc22570ce9ef7b34c47039266fe61d
2) Another approach can be to add usernames and emails case sensitively,
but instead ensure that DB searching is case insensitive (lowercased).
For JPA there is "lower" function in HQL, but I am not sure if it's
supported for various databases (and I would really like to avoid DB
specific failures TBH...;-) ). For Mongo there is possibility to
search with regex to achieve case-insensitive search but it sucks due to
performance- so in this case we may need to add separate columns
username_lowercased and email_lowercased, which will be used for
searching to ensure index is used...
I like (1) much more and that's what I used in PR. Any objections
against merging it?
Or is it bad to assume that email are case insensitive? Strictly said,
the "local" part of email is supposed to be case sensitive, so
"JOHN at keycloak.org" and "john at keycloak.org" are theoretically different
emails. But in reality most organizations and mail servers treat them as
same emails - including Google. Just checked that I can successfully
login to Google with MPosOLDA at gmail.com .
Marek
More information about the keycloak-dev
mailing list