[keycloak-dev] Support case sensitive usernames

Pedro Igor Silva psilva at redhat.com
Fri Sep 6 13:31:48 EDT 2019 

I also vote for #2 too. IMO, Keycloak does right in regards to case
insensitive usernames. The issue also seems to be use-case specific thus
should be handled as such.

In fact, maybe the attribute could have a more generic name so that it can
reference the "raw username" when the user is federated (either from LDAP
or any other source). Could you have a switch in LDAP provider to
automatically map the "raw username" to tokens ?

Regards.
Pedro Igor

On Fri, Sep 6, 2019 at 1:23 PM Schuster Sebastian (INST-CSS/BSV-OS2) <
Sebastian.Schuster at bosch-si.com> wrote:

> I would vote for 2). We also have some funny requirements around usernames
> of an LDAP we import from to be short and numeric
> because of some SAP system that only likes usernames that way. Instead of
> using this name as the Keycloak username we used a
> special attribute and a mapper like you said and this works like a charm
> for us.
>
> Best regards,
> Sebastian
>
> Mit freundlichen Grüßen / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Open Source Services (INST-CSS/BSV-OS2)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com
> Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Fax +49 30 726112-100 |
> Sebastian.Schuster at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: keycloak-dev-bounces at lists.jboss.org <
> keycloak-dev-bounces at lists.jboss.org> Im Auftrag von Marek Posolda
> Gesendet: Freitag, 6. September 2019 17:16
> An: keycloak-dev at lists.jboss.org
> Betreff: [keycloak-dev] Support case sensitive usernames
>
> At this moment, Keycloak internally saves all usernames in the DB in
> lowercase. This means that if Keycloak DB contains user "john" and user
> fills the login form with uppercase like "John", Keycloak is still able to
> find the user because it lowercase the username from the login form to
> "john" and then query DB for lookup of username "john" . At the same time,
> DB queries have good performance as they are not needed to be case
> sensitive.
>
> Also when we import users from the 3rd party user storage like ldap, we
> first convert them to lowercase. Unfortunately this causes issues for some
> users, as they have LDAP users in uppercase like "JOHN" and usernames in
> keycloak tokens are returned in lowercase like "john", which causes issues
> in some applications.
>
> I see 2 possibilities to address this issue:
>
> 1) Have a switch at the realm level to support case-sensitive usernames
> 2) Address this issue at LDAP level and add special attribute to users
> imported from LDAP
>
> More details:
>
> The solution (1) has some more flexibility and is not LDAP specific,
> however it may either have non-trivial performance penalty due the
> case-sensitive DB searches or it may mean possibility of duplicated
> usernames different just by cases like "john", "John" and "JOHN".
>
> I can imagine that switch at realm level will have 3 options similar to
> this:
>
>   * (a) Don't support case insensitive usernames (default value and
>     current behaviour). So usernames are lowercased before saving to
>     Keycloak DB and before DB searches.
>   * (b) Support case sensitive usernames with case-sensitive duplicated
>     users. If this option is chosen, it will be possible to have for
>     example 3 separate Keycloak users like "mposolda", "Mposolda" and
>     "MPOSOLDA". This will mean that users will need to fill exactly
>     their case-sensitive username on the login form
>   * (c) Support case sensitive usernames without case-sensitive
>     duplicated users. If this option is chosen, you will have
>     case-sensitive user saved in the DB, however it won't be allowed to
>     have duplicated usernames different just by cases. So you won't be
>     able to have "mposolda", "Mposolda" and "MPOSOLDA". The third option
>     has price-to-pay as DB searches will need to be case-sensitive and
>     hence may have quite bad performance as mentioned for example in
>     this blog:
>
> https://alvinalexander.com/sql/sql-select-case-insensitive-query-queries-upper-lower
>     . I am not even convinced whether to ever support this option, I
>     rather vote for no. Performance may be better once we move away from
>     RDBMS to Keycloak.next storage, but not sure.
>
> 2) Address this issue at LDAP level and add special attribute to users
> imported from LDAP. That will allow that LDAP user "MPOSOLDA" can be mapped
> to Keycloak user "mposolda". At the Keycloak level, the user "mposolda"
> will have the attribute like LDAP_USERNAME with the value "MPOSOLDA" . In
> this case, people may need to create protocol mapper, which will map the
> LDAP_USERNAME attribute to their token. Protocol mapper can be added to
> client scope, which can be added to all required clients. Not sure if this
> is workaround or not
>
> So far, I vote for (1) and maybe just add the (a) and (b) options. WDYT?
>
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list