[keycloak-dev] Email/ username case-sensitivity issues

Marek Posolda mposolda at redhat.com
Tue Jul 21 02:58:53 EDT 2015

Thanks for the confirmation. PR merged, going to resolve all the related 
jiras assigned to me.


On 20.7.2015 08:10, Stian Thorgersen wrote:
> Marek: assigned https://issues.jboss.org/browse/KEYCLOAK-1544 to you as it's related to fix you've done
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com>
>> To: "Marek Posolda" <mposolda at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Monday, 20 July, 2015 6:42:49 AM
>> Subject: Re: [keycloak-dev] Email/ username case-sensitivity issues
>> ----- Original Message -----
>>> From: "Marek Posolda" <mposolda at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Friday, 17 July, 2015 7:37:58 PM
>>> Subject: [keycloak-dev] Email/ username case-sensitivity issues
>>> There are some case-sensitivity issues, which cause that sometimes you
>>> can add object with duplicated email/username into DB etc. Some details
>>> are at https://issues.jboss.org/browse/KEYCLOAK-1545 or
>>> https://issues.jboss.org/browse/KEYCLOAK-1551 . Those issues happened
>>> with LDAP, but generally issues are not LDAP specific - for example even
>>> without LDAP integration you can add user with email "JOHN at keycloak.org"
>>> and then "john at keycloak.org" . Second user is created successfully,
>>> which doesn't look correct to me.
>>> The solutions I can see is:
>>> 1) Ensure that username and email is always added lowercased into DB and
>>> then searched lowercased. We already fixed similar issues earlier, but
>>> not entirely . Right now, we are adding username lowercased and
>>> searching both username and email lowercased, but we are not adding
>>> email lowercased. I've sent PR when I am convert both username and email
>>> to lowercase in UserAdapter.setEmail and UserAdapter.setUserName -
>>> https://github.com/mposolda/keycloak/commit/66f16bf654fc22570ce9ef7b34c47039266fe61d
>>> 2) Another approach can be to add usernames and emails case sensitively,
>>> but instead ensure that DB searching is case insensitive (lowercased).
>>> For JPA there is "lower" function in HQL, but I am not sure if it's
>>> supported for various databases (and I would really like to avoid DB
>>> specific failures TBH...;-)   ).  For Mongo there is possibility to
>>> search with regex to achieve case-insensitive search but it sucks due to
>>> performance- so in this case we may need to add separate columns
>>> username_lowercased and email_lowercased, which will be used for
>>> searching to ensure index is used...
>>> I like (1) much more and that's what I used in PR. Any objections
>>> against merging it?
>> +1 To (1) that's what we intended to do the first time around, but seem to
>> have forgotten email by mistake. We had the same discussion then about local
>> part being case sensitive back then as well ;)
>>> Or is it bad to assume that email are case insensitive? Strictly said,
>>> the "local" part of email is supposed to be case sensitive, so
>>> "JOHN at keycloak.org" and "john at keycloak.org" are theoretically different
>>> emails. But in reality most organizations and mail servers treat them as
>>> same emails - including Google. Just checked that I can successfully
>>> login to Google with MPosOLDA at gmail.com .
>>> Marek
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list