Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

Original report

Assume there is Not Username password policy set.

Concluding my analysis after RHSSO 7.6.9, RHBK 24.0.x, in RHBK 26.0.7 I can obtain the registration of the same strings as 'username' (username = Testing@12345678 / password: Testing@12345678), if 'contain' 'username', and with other strings they are not validated as an invalid 'password'(Success! The password has been set.), that is, it does not respect the password policy.

Cause

We are doing lowercasing of username before saving them to the DB. So username is lowercase to "testing@12345678" before it is saved. Then the password policy checks if password "Testing@12345678" equals to username "testing@12345678" and it allows password creation due the fact that username was lowercased.

It seems to me this should be fixed for multiple password policies:

• NotUsernamePasswordPolicy
• NotEmailPasswordPolicy
• NotContainsUsernamePasswordPolicy

to make sure that we compare in case-insensitive way.

Version

nightly (from 2025-02-18), older versions as well from RHSSO 7.6.9

Regression

• The issue is a regression

Expected behavior

Password is compared with the username/email in case-insensitive way, so it is not possible to create for example email [email protected] and password [email protected] (as it is in fact same email).

Actual behavior

Case-sensitivity is considered, so it is possible to create for example email [email protected] and password [email protected] (even if it is in fact same email).

How to Reproduce?

See description

Anything else?

No response