[keycloak-dev] Custom attributes for roles

Schuster Sebastian (INST/ESY1) Sebastian.Schuster at bosch-si.com
Fri Nov 10 04:49:16 EST 2017


Hi everybody,

For compliance reasons, I have to store for each role, who is responsible for managing this role. Keycloak has the nice feature of supporting custom attributes for users and groups. I think supporting my requirement would be best done by also having custom attributes per role (that could for example also be mapped from an LDAP).

Do you think custom role attributes would be a valuable addition and could make it upstream?

Best regards,
Sebastian

Mit freundlichen Grüßen / Best regards

Dr.-Ing.  Sebastian Schuster

Engineering and Support (INST/ESY1) 
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn 




-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org [mailto:keycloak-dev-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen
Sent: Freitag, 10. November 2017 07:14
To: keycloak-dev <keycloak-dev at lists.jboss.org>
Subject: [keycloak-dev] Can't login with email as username if another user has same email

If user#1 has the username 'user at host.com' with no email, and user#2 has the email 'user at host.com', user#1 would not be able to login.

In this case user#1 would have to contact the admin who would have to change the username or add an email.

This issue was reported a while back by our QE [1], but AFAIK no actual users have run into this problem and it seems unlikely that it'll be a real problem.

I'm leaning towards just closing this issue as won't fix.

Best ideas I have for solving is:

1. Make sure username can't match email of another user. Not sure how we could do this as I'm pretty sure that couldn't be done with SQL.

2. Add a code check for for the above. It won't be guaranteed, but maybe good enough?

3. Add option to set if realm should allow login by "Username and email", "Username only" or "Email only". For the "Username and email" option we should document the fact that this issue can happen and that email always wins.

[1] https://issues.jboss.org/browse/KEYCLOAK-4466
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list