[keycloak-dev] Can't login with email as username if another user has same email

Stian Thorgersen sthorger at redhat.com
Mon Nov 13 10:37:18 EST 2017


That might be a good option. We could potentially do that only for new
users and leave existing users untouched during migration.

On 10 November 2017 at 13:20, Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster at bosch-si.com> wrote:

> I could also imagine enforcing in the server that whenever a user has an
> email as the username, it is always identical to the email address.
> However, that change might be problematic considering all the existing
> data...
>
> Best regards,
> Sebastian
>
> Mit freundlichen Grüßen / Best regards
>
> Dr.-Ing.  Sebastian Schuster
>
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> Sebastian.Schuster at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
> Dr.-Ing. Rainer Kallenbach, Michael Hahn
>
>
>
>
> -----Original Message-----
> From: keycloak-dev-bounces at lists.jboss.org [mailto:keycloak-dev-bounces@
> lists.jboss.org] On Behalf Of Stian Thorgersen
> Sent: Freitag, 10. November 2017 07:14
> To: keycloak-dev <keycloak-dev at lists.jboss.org>
> Subject: [keycloak-dev] Can't login with email as username if another user
> has same email
>
> If user#1 has the username 'user at host.com' with no email, and user#2 has
> the email 'user at host.com', user#1 would not be able to login.
>
> In this case user#1 would have to contact the admin who would have to
> change the username or add an email.
>
> This issue was reported a while back by our QE [1], but AFAIK no actual
> users have run into this problem and it seems unlikely that it'll be a real
> problem.
>
> I'm leaning towards just closing this issue as won't fix.
>
> Best ideas I have for solving is:
>
> 1. Make sure username can't match email of another user. Not sure how we
> could do this as I'm pretty sure that couldn't be done with SQL.
>
> 2. Add a code check for for the above. It won't be guaranteed, but maybe
> good enough?
>
> 3. Add option to set if realm should allow login by "Username and email",
> "Username only" or "Email only". For the "Username and email" option we
> should document the fact that this issue can happen and that email always
> wins.
>
> [1] https://issues.jboss.org/browse/KEYCLOAK-4466
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list