[keycloak-user] Prevent users from changing email address when email is used as username

Ales Fuchs ales.fuchs at eventival.com
Fri Aug 2 02:35:47 EDT 2019


Do you mean "Verify email" required action? If yes, is it possible to add
this required action to a user automatically with a change of email address
in the account console? Is it possible with any option available in the
admin console or would I need to program a custom extension of UserProvider?


On Thu, 1 Aug 2019 at 14:29, Stan Silvert <ssilvert at redhat.com> wrote:

> On 8/1/2019 5:57 AM, Ales Fuchs wrote:
>
> Thank you for your quick response.
>
> Dear Mr. Lech, Disabling "Edit username" in "Realm Settings -> Login" will
> only hide the username input in the default theme, but not the email input.
> When email is updated by user, both email and username changes (due to
> setting of "Email as username") without any request for ownership
> verification (via mail).
>
> The input element for email can be hidden or removed by adding a custom
> theme with overridden template. But this is not a bulletproof solution, as
> the input can be easily added again by editing the HTML in browser's
> inspector. When a username is changed, user can log in with the new
> username and original password.Then he can log into an integrated
> application which takes him as a verified user, but the verification didn't
> happen. This is a security breach.
>
> Dear Mr. Silvert, Both enabled "Email as username" and disabled "Edit
> username" is really what we want. We don't want to force users to remember
> their usernames (yet another login detail) since email address is already
> useful and unique identifier. And any change of the email address (if it
> cannot be disabled) should be followed by a verification process. I've seen
> this setup at many other systems which don't use Keycloak, so I guess our
> design is not that special.
>
> So what you really want is a verification process to make sure that the
> new email address is valid?
>
> Try the "Verify email" option and see if that meets your requirements.
>
>
> Kind regards,
> Ales Fuchs
>
>
> On Wed, 31 Jul 2019 at 20:07, Stan Silvert <ssilvert at redhat.com> wrote:
>
>> Are you sure that is what you want?
>>
>> Email addresses do change.  Is there some reason it should never be
>> updated?
>>
>> On 7/31/2019 10:08 AM, Ales Fuchs wrote:
>> > Hello,
>> >
>> > We are using Keycloak version 4.8.3 and in our setting we have the
>> option
>> > "Email as username" switched on and "Edit username" switched off.
>> >
>> > At the same time we need to let users to log in and change their name in
>> > the account console. Once the name and surname is editable, email can be
>> > changed too, which changes also the username.
>> >
>> > The input with email can be hidden, but whoever knows how Keycloak works
>> > can simply add this input and update the username.
>> >
>> > Does anyone have any idea how updating of username can be prevented?
>> >
>> > Best regards,
>> > Ales Fuchs
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


More information about the keycloak-user mailing list