[keycloak-user] Prevent users from changing email address when email is used as username

Stan Silvert ssilvert at redhat.com
Thu Aug 1 08:29:25 EDT 2019 

On 8/1/2019 5:57 AM, Ales Fuchs wrote:
> Thank you for your quick response.
>
> Dear Mr. Lech, Disabling "Edit username" in "Realm Settings -> Login" 
> will only hide the username input in the default theme, but not the 
> email input. When email is updated by user, both email and username 
> changes (due to setting of "Email as username") without any request 
> for ownership verification (via mail).
>
> The input element for email can be hidden or removed by adding a 
> custom theme with overridden template. But this is not a bulletproof 
> solution, as the input can be easily added again by editing the HTML 
> in browser's inspector. When a username is changed, user can log in 
> with the new username and original password.Then he can log into an 
> integrated application which takes him as a verified user, but the 
> verification didn't happen. This is a security breach.
>
> Dear Mr. Silvert, Both enabled "Email as username" and disabled "Edit 
> username" is really what we want. We don't want to force users to 
> remember their usernames (yet another login detail) since email 
> address is already useful and unique identifier. And any change of the 
> email address (if it cannot be disabled) should be followed by a 
> verification process. I've seen this setup at many other systems which 
> don't use Keycloak, so I guess our design is not that special.
So what you really want is a verification process to make sure that the 
new email address is valid?

Try the "Verify email" option and see if that meets your requirements.

>
> Kind regards,
> Ales Fuchs
>
>
> On Wed, 31 Jul 2019 at 20:07, Stan Silvert <ssilvert at redhat.com 
> <mailto:ssilvert at redhat.com>> wrote:
>
>     Are you sure that is what you want?
>
>     Email addresses do change.  Is there some reason it should never
>     be updated?
>
>     On 7/31/2019 10:08 AM, Ales Fuchs wrote:
>     > Hello,
>     >
>     > We are using Keycloak version 4.8.3 and in our setting we have
>     the option
>     > "Email as username" switched on and "Edit username" switched off.
>     >
>     > At the same time we need to let users to log in and change their
>     name in
>     > the account console. Once the name and surname is editable,
>     email can be
>     > changed too, which changes also the username.
>     >
>     > The input with email can be hidden, but whoever knows how
>     Keycloak works
>     > can simply add this input and update the username.
>     >
>     > Does anyone have any idea how updating of username can be prevented?
>     >
>     > Best regards,
>     > Ales Fuchs
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list