[keycloak-user] Prevent users from changing email address when email is used as username

Lukasz Lech l.lech at ringler.ch
Fri Aug 2 04:35:27 EDT 2019


Hello,

We’ve tested that scenario.

Changing email causes changing username (yes, even if ‚edit username‘ is enabled). The action ‘Verify email’ is added, and the user can’t log in. If the new email is invalid, or doesn’t belong to the user, this particular user will never ever be able to log in unless manual action is taken in admin console.

The best way to deal with it, is to remove email from templates. It’s safe, because the only thing that user can achieve by forging http request is to effectively block his account.

I wonder if someone else is using this feature productively and has found out some way to reasonably handle that… Maybe I’m overseeing something more or less obvious…

Best regards,
Lukasz Lech

From: Ales Fuchs [mailto:ales.fuchs at eventival.com]
Sent: Freitag, 2. August 2019 08:36
To: Stan Silvert <ssilvert at redhat.com>
Cc: Lukasz Lech <l.lech at ringler.ch>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Prevent users from changing email address when email is used as username

Do you mean "Verify email" required action? If yes, is it possible to add this required action to a user automatically with a change of email address in the account console? Is it possible with any option available in the admin console or would I need to program a custom extension of UserProvider?


On Thu, 1 Aug 2019 at 14:29, Stan Silvert <ssilvert at redhat.com<mailto:ssilvert at redhat.com>> wrote:
On 8/1/2019 5:57 AM, Ales Fuchs wrote:
Thank you for your quick response.

Dear Mr. Lech, Disabling "Edit username" in "Realm Settings -> Login" will only hide the username input in the default theme, but not the email input. When email is updated by user, both email and username changes (due to setting of "Email as username") without any request for ownership verification (via mail).

The input element for email can be hidden or removed by adding a custom theme with overridden template. But this is not a bulletproof solution, as the input can be easily added again by editing the HTML in browser's inspector. When a username is changed, user can log in with the new username and original password.Then he can log into an integrated application which takes him as a verified user, but the verification didn't happen. This is a security breach.

Dear Mr. Silvert, Both enabled "Email as username" and disabled "Edit username" is really what we want. We don't want to force users to remember their usernames (yet another login detail) since email address is already useful and unique identifier. And any change of the email address (if it cannot be disabled) should be followed by a verification process. I've seen this setup at many other systems which don't use Keycloak, so I guess our design is not that special.
So what you really want is a verification process to make sure that the new email address is valid?

Try the "Verify email" option and see if that meets your requirements.



Kind regards,
Ales Fuchs


On Wed, 31 Jul 2019 at 20:07, Stan Silvert <ssilvert at redhat.com<mailto:ssilvert at redhat.com>> wrote:
Are you sure that is what you want?

Email addresses do change.  Is there some reason it should never be updated?

On 7/31/2019 10:08 AM, Ales Fuchs wrote:
> Hello,
>
> We are using Keycloak version 4.8.3 and in our setting we have the option
> "Email as username" switched on and "Edit username" switched off.
>
> At the same time we need to let users to log in and change their name in
> the account console. Once the name and surname is editable, email can be
> changed too, which changes also the username.
>
> The input with email can be hidden, but whoever knows how Keycloak works
> can simply add this input and update the username.
>
> Does anyone have any idea how updating of username can be prevented?
>
> Best regards,
> Ales Fuchs
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list