[keycloak-dev] Users with duplicated emails

Marek Posolda mposolda at redhat.com
Mon Feb 15 02:54:48 EST 2016 

On 15/02/16 05:51, Fabricio Milone wrote:
> Hi,
>
> I've been trying to solve an issue with my Federator for a few days 
> now when I import users that don't exist in Keycloak (but they do 
> exist in my Federator DB).
>
> I'm getting a duplicated value constraint violation error on 
> email_constraint attribute from user_entity table. So I looked into 
> the source code and found that the emailConstraint attribute is being 
> set to the email value when I'm calling UserEntity.setEmail(String email).
>
> public void setEmail(String email) {
>      this.email = email; this.emailConstraint = email !=null ? email : KeycloakModelUtils.generateId(); }
>
> Also I saw this comment in UserEntity.java:64:
> // Hack just to workaround the fact that on MS-SQL you can't have 
> unique constraint with multiple NULL values TODO: Find better solution 
> (like unique index with 'where' but that's proprietary) @Column(name ="EMAIL_CONSTRAINT")
> protected StringemailConstraint = KeycloakModelUtils.generateId();
>
> My system allows duplicated email addresses and that cannot change.
>
> Is there any way to allow duplicated email addresses on Keycloak?
> Are you planning on an improvement to add support for a configurable 
> unique key for users?
> What would be the best way to get rid of that constraint?
Depends on if you want to use some Keycloak features, which rely on 
sending emails to users (ie. Forget password).

1) If not, then you have full control in your UserFederationProvider and 
you can skip official "email" attribute and use some completely 
different attribute. Like instead of:

keycloakUser.setEmail(emailFromYourFederatorDB);

you use:

keycloakUser.setSingleAttribute("custom-email", emailFromYourFederatorDB);

You can also create protocolMappers for your clients to ensure that 
emails from attribute "custom-email" are used in access tokens, so your 
applications will properly see the user's emails in attribute "email" 
inside access token.


2) If yes, I suggest to rely on default keycloak user "email" attribute, 
but change your DB to not allow duplicate emails. Having multiple 
accounts with same email is broken architecture IMO. Among other issues, 
there can be security flaws like:
- user1 clicks on "Forget password" link
- user2 (who has same email like user1) will read the email sent by 
Keycloak from user1. He clicks on the link and resets password of user1
- user2 is able to login as user1

Marek
>
> As a reference, I'm using Keycloak 1.7.0 and Informix as a DB.
>
> Any help would be appreciated.
>
> Thanks in advance.
>
> Regards,
> Fab
>
>
> -- 
> *Fabricio Milone*
> Developer
> *
> *
> *
> Shine Consulting *
>
> 30/600 Bourke Street
>
> Melbourne VIC 3000
>
> T: 03 8488 9939
>
> M: 04 3200 4006
>
>
> www.shinetech.com <http://www.shinetech.com/>/*a*/ passion for excellence
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160215/7e9bb7de/attachment.html

More information about the keycloak-dev mailing list