[keycloak-user] Prevent users from changing email address when email is used as username

Wed Aug 14 07:42:33 EDT 2019

Dear Lukasz,

Thank you for your help. We have tested the same scenario again and you are
right. When someone changes the email address, the username gets changed
too, verification is required and mail is sent to the new address.
Originally we experienced the problem at local instance with slightly
different setup.

The only thing which seems strange to me now is that the user does not get
signed out right after the change of email address. I'm not sure what
problem this could cause though.

Best regards,
Ales Fuchs

On Fri, 2 Aug 2019 at 10:35, Lukasz Lech <l.lech at ringler.ch> wrote:

> Hello,
>
>
>
> We’ve tested that scenario.
>
>
>
> Changing email causes changing username (yes, even if ‚edit username‘ is
> enabled). The action ‘Verify email’ is added, and the user can’t log in. If
> the new email is invalid, or doesn’t belong to the user, this particular
> user will never ever be able to log in unless manual action is taken in
> admin console.
>
>
>
> The best way to deal with it, is to remove email from templates. It’s
> safe, because the only thing that user can achieve by forging http request
> is to effectively block his account.
>
>
>
> I wonder if someone else is using this feature productively and has found
> out some way to reasonably handle that… Maybe I’m overseeing something more
> or less obvious…
>
>
>
> Best regards,
>
> Lukasz Lech
>
>
>
> *From:* Ales Fuchs [mailto:ales.fuchs at eventival.com]
> *Sent:* Freitag, 2. August 2019 08:36
> *To:* Stan Silvert <ssilvert at redhat.com>
> *Cc:* Lukasz Lech <l.lech at ringler.ch>; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Prevent users from changing email address
> when email is used as username
>
>
>
> Do you mean "Verify email" required action? If yes, is it possible to add
> this required action to a user automatically with a change of email address
> in the account console? Is it possible with any option available in the
> admin console or would I need to program a custom extension of UserProvider?
>
>
>
>
>
> On Thu, 1 Aug 2019 at 14:29, Stan Silvert <ssilvert at redhat.com> wrote:
>
> On 8/1/2019 5:57 AM, Ales Fuchs wrote:
>
> Thank you for your quick response.
>
>
>
> Dear Mr. Lech, Disabling "Edit username" in "Realm Settings -> Login" will
> only hide the username input in the default theme, but not the email input.
> When email is updated by user, both email and username changes (due to
> setting of "Email as username") without any request for ownership
> verification (via mail).
>
>
>
> The input element for email can be hidden or removed by adding a custom
> theme with overridden template. But this is not a bulletproof solution, as
> the input can be easily added again by editing the HTML in browser's
> inspector. When a username is changed, user can log in with the new
> username and original password.Then he can log into an integrated
> application which takes him as a verified user, but the verification didn't
> happen. This is a security breach.
>
>
>
> Dear Mr. Silvert, Both enabled "Email as username" and disabled "Edit
> username" is really what we want. We don't want to force users to remember
> their usernames (yet another login detail) since email address is already
> useful and unique identifier. And any change of the email address (if it
> cannot be disabled) should be followed by a verification process. I've seen
> this setup at many other systems which don't use Keycloak, so I guess our
> design is not that special.
>
> So what you really want is a verification process to make sure that the
> new email address is valid?
>
> Try the "Verify email" option and see if that meets your requirements.
>
>
>
>
> Kind regards,
>
> Ales Fuchs
>
>
>
>
>
> On Wed, 31 Jul 2019 at 20:07, Stan Silvert <ssilvert at redhat.com> wrote:
>
> Are you sure that is what you want?
>
> Email addresses do change.  Is there some reason it should never be
> updated?
>
> On 7/31/2019 10:08 AM, Ales Fuchs wrote:
> > Hello,
> >
> > We are using Keycloak version 4.8.3 and in our setting we have the option
> > "Email as username" switched on and "Edit username" switched off.
> >
> > At the same time we need to let users to log in and change their name in
> > the account console. Once the name and surname is editable, email can be
> > changed too, which changes also the username.
> >
> > The input with email can be hidden, but whoever knows how Keycloak works
> > can simply add this input and update the username.
> >
> > Does anyone have any idea how updating of username can be prevented?
> >
> > Best regards,
> > Ales Fuchs
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>