[keycloak-user] Empty username allowed in review profile config
Kaspar Papli
kaspar.papli at gmail.com
Wed Sep 11 06:45:33 EDT 2019
Hey,
I discovered that an empty username is allowed in the Update Account
Information page which appears in the first broker login flow. I assume
this is a bug?
Steps to reproduce:
1. Setup Google as an identity provider.
2. Set Authentication Flows -> First Broker Login -> review profile config
-> Actions -> Config -> Update Profile on First Login -> "on"
3. Attempt login with Google (with a Google account that is not yet
connected to any Keycloak account).
4. After authentication with Google, in the Update Account Information
page, delete the username i.e. set it to an empty string and submit.
Expected result:
An error is shown about the username being required.
Actual result:
Registration succeeds and an account is created with an empty username.
Workaround:
Create an account with an empty username like this. In that case, the next
attempt at repeating this fails with "User with username already exists".
Realm login settings in my configuration that might be relevant:
- User registration: on
- Email as username: off
- Edit username: off
- Forgot password: on
- Remember me: on
- Verify email: on
- Login with email: on
Keycloak version: 7.0.0
All the best,
Kaspar
More information about the keycloak-user
mailing list