Hide / disable email changes on client account area

Hi Keycloak community,

Does anyone know whether it’s possible to hide or disable the email changes when they log into their client account area and show the username instead?

For the realm in the “Login” settings I have:
“Email as username” enabled
“Login with email” disabled

So the username is used as the email and I’m not using the email field.

Many thanks!

2 Likes

Did you ever find out how to disable email changes?

I’m wondering the same right now.

Same problem here.
Keycloak version 11.0.2 (and previous).

I’ve set “Email as usename” enabled and “edit username” disabled but when I go to client account area I can edit email (so can edit username).

How can I disable email changes ? Thanks

It’s like the expression says: use email as username, not vise-versa.
So, the email address is used as username, thus the username ist not visible.
The option “edit username” yields only to username, not email. If the username field is not visible in the UI, it has no effect.
Email changes can’t be disabled.
(Exception: you make the field read-only in your customized theme).

@dasniko, ok, but user can change its email in account page and this will change also username. I don’t want to allow username changes and the field “edit username” is disabled…

If you use email as username and users are allowed to edit their email address - why should username change be forbidden? That doesn’t make sense at all.
When a user changes its email address with which it logs in, it wouldn’t expect that there is still the old email address somewhere available with which is also a login possible.
If you need an immutable date, use the userid, this won’t change.

@dasniko, I want to set email immutable because email is used to match account in some (bad?) OIDC/SAML adapters. So yes, I use email as username and don’t want to allow user to edit their email address.

Then set the field to readonly in your custom account theme. This way, users won’t be able to edit their email-address.

This front-end hack is problematic from security standpoint. Email should be immutable in the backend.

2 Likes

Yeah this is very problematic, especially since Keycloak doesn’t make the user to verify the email after they change it (and there’s no way to enable this flow from what I’ve seen). It essentially makes email verification irrelevant for any user who can access the Account page. It seems like a pretty significant security oversight, and I don’t think changing the field to read only in the UI is enough.