Reputation: 367
Email claim overrides username in keycloak
I've written a custom OIDC-Provider and connected it to keycloak. After the first login in via my provider, the user gets asked to enter a username, email, first name and last name (first-broker-login-flow).
Usually the username is prefilled with what is in the 'sub' claim. But when sending an 'email' claim, the username is prefilled with the email.
How can I prefill the username with something else than my email, while also sending an 'email' claim?
So far I've tried sending a 'name', a 'username' and a 'preferred_username' claim - no success.
I figured out that the IdpReviewProfileAuthenticator checks for isRegistrationEmailAsUsername(). So I've deactivated "Login with email" in my realm settings - no success.
Is there any way for keycloak to not use the 'email' claim for the username?
Upvotes: 0
Views: 4301
Answers (1)
Reputation: 367
I figured out a work around. In keycloak I created an "Username Template Importer"-mapper for my oidc provider and set the template-value to ${CLAIM.sub}.
Not the nicest solution in my humble opinion. But it works until i figured out a better way to do it...
Upvotes: 4
Related Questions
- username update via API in keycloak
- IdentityServer4 OpenIdConnect GetClaimsFromUserInfoEndpoint not setting additional claims
- Error getting email address - grafana with keycloak
- Keycloak Internal Server Error when a user tries to register with an existing email
- Keycloak registration throws HTTP 500 for duplicate email
- Keycloak: mapping username on subject claim
- Configure Azure AD as Identity provider OIC in Keycloack and email attribute
- Configure Keycloak to include an at_hash claim in the id token
- Keycloak w/Google Authentication - Invalid username or password
- Kohana Auth login with email not username