Does anyone know whether it’s possible to hide or disable the email changes when they log into their client account area and show the username instead?
For the realm in the “Login” settings I have:
“Email as username” enabled
“Login with email” disabled
So the username is used as the email and I’m not using the email field.
It’s like the expression says: use email as username, not vise-versa.
So, the email address is used as username, thus the username ist not visible.
The option “edit username” yields only to username, not email. If the username field is not visible in the UI, it has no effect.
Email changes can’t be disabled.
(Exception: you make the field read-only in your customized theme).
@dasniko, ok, but user can change its email in account page and this will change also username. I don’t want to allow username changes and the field “edit username” is disabled…
If you use email as username and users are allowed to edit their email address - why should username change be forbidden? That doesn’t make sense at all.
When a user changes its email address with which it logs in, it wouldn’t expect that there is still the old email address somewhere available with which is also a login possible.
If you need an immutable date, use the userid, this won’t change.
@dasniko, I want to set email immutable because email is used to match account in some (bad?) OIDC/SAML adapters. So yes, I use email as username and don’t want to allow user to edit their email address.
Yeah this is very problematic, especially since Keycloak doesn’t make the user to verify the email after they change it (and there’s no way to enable this flow from what I’ve seen). It essentially makes email verification irrelevant for any user who can access the Account page. It seems like a pretty significant security oversight, and I don’t think changing the field to read only in the UI is enough.
For anyone finding this thread later on, as of at least version 14, setting “email as username” and disabling editable usernames does in fact prevent users from changing their email address. The UX for this in the default templates is not great however, it still renders an editable form field but will reject an edit with “Bad Request: readOnlyUsernameMessage”
If you want to make other fields read-only, you might want to check out enabling the Declarative User Profile feature (Server Administration Guide) which allows you to set e.g. firstName and lastName as read-only (but still set on registration). It is important to note that this does NOT work with the “email” field.