Details

      Description

      The email address is currently unique within one realm so that there can´t be different accounts with the same email address. This request wants to have the possibility to configure if the email address should be unique in the realm or not.

      There might be some situations where you want to have the same email address for different users. One example is using the email address as the address from a responsible contact person within the scope of "server accounts". It happens quite often that one and the same human person is responsible for more than one user. So you would like to configure the same email address for different users. This is currently not possible in Keycloak.

      There might be other situations where you want to have the same email address for different accounts. This topic was therefore addressed in the OpenId-Connect-Spezification as the following:

      “Therefore, the only guaranteed unique identifier for a given End-User is the combination of the iss Claim and the sub Claim.
      All other Claims carry no such guarantees across different issuers in terms of stability over time or uniqueness across users, and Issuers are permitted to apply local restrictions and policies. For instance, an Issuer MAY re-use an email Claim Value across different End-Users at different points in time, and the claimed email address for a given End-User MAY change over time. Therefore, other Claims such as email, phone_number, and preferred_username and MUST NOT be used as unique identifiers for the End-User. “ [OpenId-Connect Core Spezification 1.0 – 5.7 Claim Stability and Uniqueness]

      Because of this, the spezification recommends to make the email address not unique. This would be a more flexible approach handling the email address and would follow the recommendation of the OpenId-Connect-Spezification.

      Possible Solution from Stian Thorgensen out of the email discussion in the keycloak-user mailing list:
      "We would need to have a separate field in the db for non-unique email addresses. That's not really a big problem I think, but it would still be a fair bit of work to implement. We'd also need to have an option on a realm on what attribute to use as username, options should be username/email, username or email."

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  sebastian.olscher Sebastian Olscher
                • Votes:
                  23 Vote for this issue
                  Watchers:
                  26 Start watching this issue

                  Dates

                  • Created:
                    Updated: