Home > front end >  Keycloak: should UserName be used as logical key or NameIdentifier, or email address, or something e
Keycloak: should UserName be used as logical key or NameIdentifier, or email address, or something e

Time:12-27

In an ASP.net core application I'd like to store some information linked to each user. Users are managed by Keycloak.

What is the best field to be chosen as "logical key" (that is: the foreign key used in my information table to link the user)? Should it be Keycloak's NameIdentifier (something like a GUID: "90666d8e-5efa-49d0-ba07-86cff816f1f3"), or the username (the one used by the user when logging in), or the email address or something else?

CodePudding user response:

What is the best field to be chosen as "logical key" (that is: the foreign key used in my information table to link the user)?

The best one will be the one that can 1) uniquely identify the user and 2) cannot be changed.

Username at first looks like a good candidate; but the username can be changed (Realm Settings > Login > Edit username set to ON), albeit by default it is readonly. The same applies to email address and many of the other user attributes.

The best key will be the user ID, represented in your case by the NameIdentifier. This Key uniquely identifies the user and its value cannot be changed. This Key will be injected into the tokens (e.g., access token) under the claim sub.

  • Related