[keycloak-dev] Customizing usernames

Paolo Tedesco Paolo.Tedesco at cern.ch
Fri Jun 14 02:33:17 EDT 2019


Hi Stian,

We want to avoid that users are presented with the "account already exists" dialogue and the option to merge accounts, because we think that it wouldn't always be clear for users what is going on.
We managed to turn off the unique email validation, but then, for what we understood, we need to have unique usernames.
Maybe we are just missing something, then how do we configure unique IDs (which are not mail addresses) instead of usernames?

Thanks,
Paolo

From: Stian Thorgersen <sthorger at redhat.com>
Sent: Thursday, June 13, 2019 18:36
To: Paolo Tedesco <Paolo.Tedesco at cern.ch>
Cc: keycloak-dev at lists.jboss.org; Cristian Schuszter <cristian.schuszter at cern.ch>; Asier Aguado Corman <asier.aguado at cern.ch>; Hannah Short <hannah.short at cern.ch>
Subject: Re: [keycloak-dev] Customizing usernames

Could you explain your use-case a bit better? It seems to me that having a unique id as we do for the users today is exactly what you want. We decided to use a unique id rather than the username for exactly the reasons you mention.

On Thu, 13 Jun 2019 at 13:19, Paolo Tedesco <Paolo.Tedesco at cern.ch<mailto:Paolo.Tedesco at cern.ch>> wrote:
Hi all,



I'm looking for a way to customize the unique identifiers used by Keycloak in its internal user database, to avoid possible email or username clashes.

For example, I would like to be able to change the username of someone logging in through github to "login at github.com<mailto:login at github.com>", so that if someone has the same login in the CERN LDAP the user is not offered the possibility to merge the accounts.

Our problems come from the fact that we allow people to change their mail addresses, and also to use external non-CERN addresses as their email, so we cannot rely on email much.
We would also like to avoid people to merge accounts at all as we think this might be confusing for users on some occasions, and generate support tickets for us.

Is there a supported way to do this, or would we need to code something ourselves?
If we need to code something, should we write a plugin of some kind (e.g. custom mappers) or would we need to modify directly the code that manages the login from the identity provider?
In case someone else requested something similar, we might make our development available.

Thanks,
Paolo Tedesco

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev


More information about the keycloak-dev mailing list