Hide / disable email changes on client account area

Hi Keycloak community,

Does anyone know whether it’s possible to hide or disable the email changes when they log into their client account area and show the username instead?

For the realm in the “Login” settings I have:
“Email as username” enabled
“Login with email” disabled

So the username is used as the email and I’m not using the email field.

Many thanks!

2 Likes

Did you ever find out how to disable email changes?

I’m wondering the same right now.

1 Like

Same problem here.
Keycloak version 11.0.2 (and previous).

I’ve set “Email as usename” enabled and “edit username” disabled but when I go to client account area I can edit email (so can edit username).

How can I disable email changes ? Thanks

It’s like the expression says: use email as username, not vise-versa.
So, the email address is used as username, thus the username ist not visible.
The option “edit username” yields only to username, not email. If the username field is not visible in the UI, it has no effect.
Email changes can’t be disabled.
(Exception: you make the field read-only in your customized theme).

@dasniko, ok, but user can change its email in account page and this will change also username. I don’t want to allow username changes and the field “edit username” is disabled…

If you use email as username and users are allowed to edit their email address - why should username change be forbidden? That doesn’t make sense at all.
When a user changes its email address with which it logs in, it wouldn’t expect that there is still the old email address somewhere available with which is also a login possible.
If you need an immutable date, use the userid, this won’t change.

@dasniko, I want to set email immutable because email is used to match account in some (bad?) OIDC/SAML adapters. So yes, I use email as username and don’t want to allow user to edit their email address.

Then set the field to readonly in your custom account theme. This way, users won’t be able to edit their email-address.

This front-end hack is problematic from security standpoint. Email should be immutable in the backend.

3 Likes

Yeah this is very problematic, especially since Keycloak doesn’t make the user to verify the email after they change it (and there’s no way to enable this flow from what I’ve seen). It essentially makes email verification irrelevant for any user who can access the Account page. It seems like a pretty significant security oversight, and I don’t think changing the field to read only in the UI is enough.

For anyone finding this thread later on, as of at least version 14, setting “email as username” and disabling editable usernames does in fact prevent users from changing their email address. The UX for this in the default templates is not great however, it still renders an editable form field but will reject an edit with “Bad Request: readOnlyUsernameMessage”

If you want to make other fields read-only, you might want to check out enabling the Declarative User Profile feature (Server Administration Guide) which allows you to set e.g. firstName and lastName as read-only (but still set on registration). It is important to note that this does NOT work with the “email” field.

If you wish to disable email changing due to the fact that Keycloak does not currently require verification for the new email, watch this PR KEYCLOAK-6455 Ability to require email to be verified before changing by reda-alaoui · Pull Request #7943 · keycloak/keycloak · GitHub

5 Likes