Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

ldap

Describe the bug

Existing users that came from LDAP with uppercase letters in their usernames can't log in anymore using stored credentials like Passkeys or totp. Additionally downstream apps that honor casing on the oidc subject will not recognize the user anymore.

There might be more issues (SAML, others) but i have only encountered the described behavior.

This is most likely caused by the following issues/PRs:

• https://github.com/keycloak/keycloak/issues/43254
• https://github.com/keycloak/keycloak/pull/43261

Version

25.4.1

Regression

[x] The issue is a regression

Expected behavior

Users are still able to login as normal after a patch update. The user ID should stay stable and not change.

Actual behavior

The user ID changes uppercase letters to lowercase letters.

How to Reproduce?

1. Set up a Keycloak with a version < 25.4.1
2. Set up LDAP federation
3. log in users that contain capital letters in their username
4. Potentially register passkeys.
5. Upgrade keycloak to 25.4.1 and notice the changed user ID.
6. Try to log in the user with passekey

Anything else?

I understand the need to change the need to normalize usernames, however i think this should be rolled back and reintroduced as a breaking change, not a patch.

Of course there is also the discussion if case sensitivity should even be allowed: https://github.com/keycloak/keycloak/issues/32869