XMLWordPrintable

Details

    • Feature Request
    • Status: Closed
    • Major
    • Resolution: Out of Date
    • None
    • None
    • Account - Console
    • None

    Description

      The email address is currently unique within one realm so that there can´t be different accounts with the same email address. This request wants to have the possibility to configure if the email address should be unique in the realm or not.

      There might be some situations where you want to have the same email address for different users. One example is using the email address as the address from a responsible contact person within the scope of "server accounts". It happens quite often that one and the same human person is responsible for more than one user. So you would like to configure the same email address for different users. This is currently not possible in Keycloak.

      There might be other situations where you want to have the same email address for different accounts. This topic was therefore addressed in the OpenId-Connect-Spezification as the following:

      “Therefore, the only guaranteed unique identifier for a given End-User is the combination of the iss Claim and the sub Claim.
      All other Claims carry no such guarantees across different issuers in terms of stability over time or uniqueness across users, and Issuers are permitted to apply local restrictions and policies. For instance, an Issuer MAY re-use an email Claim Value across different End-Users at different points in time, and the claimed email address for a given End-User MAY change over time. Therefore, other Claims such as email, phone_number, and preferred_username and MUST NOT be used as unique identifiers for the End-User. “ [OpenId-Connect Core Spezification 1.0 – 5.7 Claim Stability and Uniqueness]

      Because of this, the spezification recommends to make the email address not unique. This would be a more flexible approach handling the email address and would follow the recommendation of the OpenId-Connect-Spezification.

      Possible Solution from Stian Thorgensen out of the email discussion in the keycloak-user mailing list:
      "We would need to have a separate field in the db for non-unique email addresses. That's not really a big problem I think, but it would still be a fair bit of work to implement. We'd also need to have an option on a realm on what attribute to use as username, options should be username/email, username or email."

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              sebastian.olscher Sebastian Olscher (Inactive)
              Votes:
              23 Vote for this issue
              Watchers:
              23 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: