airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Marru <>
Subject Re: Problem with Keycloak converting usernames to lowercase
Date Wed, 14 Jun 2017 14:18:52 GMT
Hi Marcus,

Interesting problem. Your conclusion seems to be the right approach. 

+ 1 for fixing the legacy data and also for employing lowercasing all the tables you identified.


> On Jun 14, 2017, at 10:14 AM, Christie, Marcus Aaron <> wrote:
> Dev,
> During testing integration with Keycloak, Eroma discovered several issues [1] [2] [3]
[4] related to having a legacy username with mixed upper and lower case characters.  WSO2
IS allowed users to have usernames with upper case characters.  However, Keycloak lowercases
the username when a user is created so all usernames in Keycloak are lowercase.  This causes
a problem when code compares a user’s logged in username with usernames in the Airavata
database that have upper case characters.  For example, the PGA when trying to determine if
the logged in user can write to a project gets all of the accessible users and compares the
logged in username against the list of accessible usernames.
> After some thought I’ve come around to thinking that Keycloak lowercasing usernames
is a good idea. It could cause confusion and potential security issues to allow users to have
case-sensistive usernames.  Two usernames could be identical except for case and it would
be reasonable for users to assume that they represent the same user.
> So I think Airavata and specifically the User Profile service should adopt the same policy
and lowercase usernames.
> For legacy data, to fix the issues Eroma encountered, we would need to do a one-time
conversion of legacy usernames to lowercase.  This would involve:
> * lowercasing all usernames in Airavata database. See [5] for list of tables that would
be affected
> * lowercase the user directory names in gateway user storage on the PGA servers
>   * likewise lowercase the user directory names in DATA_REPLICA_LOCATION
> I’m open to any feedback.
> Thanks,
> Marcus
> [1] <>
> [2] <>
> [3] <>
> [4] <>
> [5]

View raw message