[keycloak-dev] Introduce option to select username mode for a realm
Stian Thorgersen
sthorger at redhat.com
Wed Oct 7 08:38:12 EDT 2015
I agree mobile can be done with a separate authenticator, it's probably not
that much additional work to add either. However, that doesn't change the
account management console, registration screens, etc.. So there's more
work than that + quite a lot of configuration needed to use mobile instead
of email/username.
It would be nice to have a configurable option on the username/email
authenticator to support only email though. I think we may have this
already but it's a realm option rather than a configuration option on the
authenticator. Same arguments here, if someone just wants to use email, the
username shouldn't be displayed on login, registration and account
management.
On 7 October 2015 at 14:28, Marek Posolda <mposolda at redhat.com> wrote:
> On 06/10/15 09:50, Stian Thorgersen wrote:
>
> We've have someone from the community that wants to use mobile number as
> the username, as well as verify mobile number by sending a code via SMS.
> See "Login by mobile number" thread in user mailing list for more details.
> They are also willing to contribute this back to the community.
>
> That made me think it may be nice to be able to configure the behavior of
> the username "field" for a realm. We could have a simple drop-down in the
> admin console to configure username mode, with the following options:
>
> * Username/email - default behavior where a user provides both a username
> and email, and the user can login with either. In this mode email has to be
> unique.
> * Username - a user can only login with a username. In this mode we could
> relax the requirement that email has to be unique (that may be difficult
> though as it would require not using a database constraint, which may make
> it rather difficult to guarantee uniqueness in other modes)
>
> Even if we add the option, I wouldn't remove email uniqueness. Admin can
> decide to change the mode back to "Username" to "Email" and then some users
> won't be able to login due to many users with same email. Also is there
> usecase when there are 2 different users in realm with same email?
>
> * Email - in this mode only email can be used to login. In this mode
> username field would not be displayed on the registration form or account
> management console. In the token the username would be set to email. In
> this mode verify email address should be enabled by default.
> * Mobile - user logs in with a mobile number. We can either just add
> mobile number to the username field or add a new mobile field and require
> uniqueness on that field. In this mode verify mobile number should be
> enabled by default.
>
> For the "Mobile" support, isn't an option to remove default
> username/password Authenticator and add new Authenticator based on mobile
> number? Also registration screen can be customized and account management
> as well. Also user can already use protocol mapper to map "mobile_number"
> attribute to "preferred_username" or whatever he wants into access token.
>
> TBH advantages of introducing new option are bit unclear to me. It looks
> like adding another complexity, which is not needed as authentication with
> mobile can be done with the SPIs we have now IMO.
>
> Marek
>
>
> With regards to implementation I think it would be easier to make the
> existing username/password authenticator, registration form and account
> management adopt to the mode rather than have separate authenticators,
> etc.. for each mode.
>
>
> _______________________________________________
> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151007/3d5a6390/attachment.html
More information about the keycloak-dev
mailing list