Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-2461

Switching 'Email as Username' alters existing custom usernames to email addresses, causing LDAP sync issues [GHI#34560]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      core

      Describe the bug

      Switching Keycloak's setting to "Email as Username" modifies existing usernames for users with custom usernames, replacing them with their email addresses. This unexpected behavior affects configurations where LDAP is set as the user storage. Keycloak updates the usernames in its own database, but when trying to update any attribute for a user with a modified username, it attempts to apply the username change to LDAP as well, resulting in an error.

      Version

      26.0.4

      Regression

      [ ] The issue is a regression

      Expected behavior

      Enabling "Email as username" should only apply to new users created after the setting is changed, while existing users should retain their usernames unchanged, especially if LDAP is configured as the user store.

      Actual behavior

      When "Email as Username" is enabled:
      1. Keycloak automatically changes existing usernames to email addresses. This is returned by the API:
      !Screenshot 2024-11-01 at 08 57 17

      2. Attempting to update a user attribute for a user whose username has changed will cause Keycloak to attempt to push the change to LDAP, resulting in an error.

      ```
      2024-11-01 07:01:47,561 WARN [org.keycloak.services.resources.admin.UserResource] (executor-thread-19) Could not update user!: org.keycloak.models.ModelException: Cannot change username if the realm is not configured to allow edit the usernames
      at org.keycloak.storage.ldap.mappers.UserAttributeLDAPStorageMapper.checkDuplicateUsername(UserAttributeLDAPStorageMapper.java:190)
      at org.keycloak.storage.ldap.mappers.UserAttributeLDAPStorageMapper$1.setUsername(UserAttributeLDAPStorageMapper.java:244)
      ```

      How to Reproduce?

      1. Configure LDAP as the user storage provider.
      2. Create users with custom usernames (non-email).
      3. Enable "Email as Username" in Keycloak settings.
      4. Observe that usernames in Keycloak are changed to email addresses for existing users.
      5. Attempt to update a user attribute for one of these affected users.

      Anything else?

      Related discussions:
      Issue #33360
      Issue #34167 @ssilvert mentioned that enabling "Email as Username" should not change existing usernames, but in our case, usernames are indeed being altered, especially affecting LDAP synchronization.

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core (shared)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: