-
|
In a corporate environment where e.g. LDAP user federation is used, a user should not be able to change anything in the user profile (email, lastname, firstname). Is there really no "simple" way to achieve this?
|
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 6 replies
-
|
@pedroigor FIY |
Beta Was this translation helpful? Give feedback.
-
|
Right now I added a hacky workaround using a validator applied to the email field in the user profile that should not match in any case. But that doesnt really improve the UX and still feels wrong. |
Beta Was this translation helpful? Give feedback.
-
|
@xoxys The reason for not working with email is that this attribute is considered a root attribute. As such, the behavior of this attribute depends on other settings (e.g.: username as email). I don't see a reason why we can not allow people to force e-mail as read-only if they want to. Would that help with your use case? @velias What do you think? |
Beta Was this translation helpful? Give feedback.
-
|
Are you interested in contributing the changes to make this happen? |
Beta Was this translation helpful? Give feedback.
-
|
My Java knowledge is pretty limited but if you can give me a hint where to start I would give it a shot :) |
Beta Was this translation helpful? Give feedback.
-
|
It should be a very simple change. However, after thinking more about this use case I remember some discussions we had in the past in regards to the integration between the user profile and user federation. Change the user profile itself is simpler but it might not be the best solution. Perhaps we should take into account the mappers from the user federation (e.g.: LDAP) to dynamically mark an attribute as read/write. See https://issues.redhat.com/browse/KEYCLOAK-18432. Right now, we have other priorities that block us to work on this particular issue. And yeah, the changes should require not only some Java background but also specific Keycloak internals. For now, I would suggest you vote for that issue and see if more people are interested in this capability. Depending on how it goes we would be either forced to deliver it or benefit from a contribution. |
Beta Was this translation helpful? Give feedback.
-
|
Just want to let you know that the workaround with the regex pattern will not work because the verification is also used on the admin console if an admin needs to change user profiles (which will then not work anymore).... So don't know why this was not a problem for someone else till now. The result in a corporate environment is:
|
Beta Was this translation helpful? Give feedback.
-
|
In your case, if you the admin wants to change the e-mail, isn't just a matter of updating the e-mail on the LDAP server? But yeah, the workaround is not the best solution. We need something along the lines of what I previously mentioned. Perhaps nobody complained because the feature is quite new or they are not using LDAP as you are :) In any case, I would close this discussion considering that we have https://issues.redhat.com/browse/KEYCLOAK-18432. Does it work for you? |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
See https://issues.redhat.com/browse/KEYCLOAK-18432.