[keycloak-dev] Customizing usernames

Mon Jun 24 06:52:54 EDT 2019

Hi,

I am not sure about the side-effect of this. IMO it will be better if 
"Username Template Importer" mapper is allowed as the mapper in the 
github provider (as well as other social providers). Then it will work 
with the Github provider without need to configure Github as generic 
OIDC. If you are able to create JIRA and send PR for this change, it 
will be nice :)

Thanks,
Marek

On 21/06/2019 13:59, Asier Aguado wrote:
> Hi Marek,
>
> We're still trying to configure GitHub using the generic OIDC 
> provider, so we can use the username template mapper we need.
>
> According to the GitHub docs [1], the token URL returns its content in 
> a different format depending on the HTTP header received. Keycloak 
> seems to parse it as JSON, so it could make sense to include the 
> header "Accept: application/json" in the request. Would this change 
> fix the parsing error?
>
> Thanks,
> Asier
>
> [1] 
> https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/
>
>
> On 18/06/2019 13:49, Paolo Tedesco wrote:-
>> Hi Marek,
>>
>> Thanks a lot for your reply, we were trying to configure this with 
>> the Github provider, which allows less customization in the mappers.
>> The username template mapper looks exactly like what we need, but we 
>> don't manage to configure a generic OpenID connect Identity Provider 
>> to work with Github.
>> We get an error saying "could not decode access token response".
>> It seems that Github by default return something like this in the 
>> token URL
>>
>> access_token=e72e16c7e42f292c6912e7710c838347ae178b4a&token_type=bearer
>>
>> and the identity provider tries to parse it as a JWT.
>> Is it possible to configure github as a generic OpenID connect IDP?
>>
>> Thanks,
>> Paolo
>>
>> -----Original Message-----
>> From: Marek Posolda <mposolda at redhat.com>
>> Sent: Friday, June 14, 2019 18:01
>> To: Paolo Tedesco <Paolo.Tedesco at cern.ch>; stian at redhat.com
>> Cc: keycloak-dev at lists.jboss.org; Asier Aguado Corman 
>> <asier.aguado at cern.ch>; Hannah Short <hannah.short at cern.ch>; Cristian 
>> Schuszter <cristian.schuszter at cern.ch>
>> Subject: Re: [keycloak-dev] Customizing usernames
>>
>> I think that for this, you can use "Username Template" importer. It 
>> is the IdentityProvider mapper. After creating Identity Provider, you 
>> can click to tab "Mappers" and configure it here. Just a note that 
>> with this approach, you will end with duplicated keycloak accounts 
>> for someone, who may be same person.
>>
>> Another possibility is to tweak the "First Broker Login" flow and 
>> tweak authenticators. For example automatically merge accounts 
>> without prompting (But this option has some security implications, 
>> see docs for the details).
>>
>> If you have some recommendations for the usability of the default 
>> dialog, feel free to suggest here. But IMO having both the 
>> "automerging accounts" or "duplicated accounts" is problematic and 
>> hence we have the option of asking users for merge accounts OOTB.
>>
>> Marek
>>
>> Dne 14. 06. 19 v 8:33 Paolo Tedesco napsal(a):
>>> Hi Stian,
>>>
>>> We want to avoid that users are presented with the "account already 
>>> exists" dialogue and the option to merge accounts, because we think 
>>> that it wouldn't always be clear for users what is going on.
>>> We managed to turn off the unique email validation, but then, for 
>>> what we understood, we need to have unique usernames.
>>> Maybe we are just missing something, then how do we configure unique 
>>> IDs (which are not mail addresses) instead of usernames?
>>>
>>> Thanks,
>>> Paolo
>>>
>>> From: Stian Thorgersen <sthorger at redhat.com>
>>> Sent: Thursday, June 13, 2019 18:36
>>> To: Paolo Tedesco <Paolo.Tedesco at cern.ch>
>>> Cc: keycloak-dev at lists.jboss.org; Cristian Schuszter
>>> <cristian.schuszter at cern.ch>; Asier Aguado Corman
>>> <asier.aguado at cern.ch>; Hannah Short <hannah.short at cern.ch>
>>> Subject: Re: [keycloak-dev] Customizing usernames
>>>
>>> Could you explain your use-case a bit better? It seems to me that 
>>> having a unique id as we do for the users today is exactly what you 
>>> want. We decided to use a unique id rather than the username for 
>>> exactly the reasons you mention.
>>>
>>> On Thu, 13 Jun 2019 at 13:19, Paolo Tedesco 
>>> <Paolo.Tedesco at cern.ch<mailto:Paolo.Tedesco at cern.ch>> wrote:
>>> Hi all,
>>>
>>>
>>>
>>> I'm looking for a way to customize the unique identifiers used by 
>>> Keycloak in its internal user database, to avoid possible email or 
>>> username clashes.
>>>
>>> For example, I would like to be able to change the username of 
>>> someone logging in through github to 
>>> "login at github.com<mailto:login at github.com>", so that if someone has 
>>> the same login in the CERN LDAP the user is not offered the 
>>> possibility to merge the accounts.
>>>
>>> Our problems come from the fact that we allow people to change their 
>>> mail addresses, and also to use external non-CERN addresses as their 
>>> email, so we cannot rely on email much.
>>> We would also like to avoid people to merge accounts at all as we 
>>> think this might be confusing for users on some occasions, and 
>>> generate support tickets for us.
>>>
>>> Is there a supported way to do this, or would we need to code 
>>> something ourselves?
>>> If we need to code something, should we write a plugin of some kind 
>>> (e.g. custom mappers) or would we need to modify directly the code 
>>> that manages the login from the identity provider?
>>> In case someone else requested something similar, we might make our 
>>> development available.
>>>
>>> Thanks,
>>> Paolo Tedesco
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>