Read-only email attribute

I’m currently using Keycloak with federated LDAP. I want to make the email attribute read-only, because people shouldn’t be able to change their email address (our mail server is linked to LDAP as well).

I tried adding email to --spi-user-profile-legacy-user-profile-read-only-attributes, and configuring it with the new declarative user profile feature, but in both cases the user is still able to change the email address from the account console.

Has anyone achieved this yet? Thanks!

1 Like

Hi,
I don’t know if there’s a possibility to make user’s attributes (or a subset of them) read-only so users cannot change it by account console’s API. But a workaround could be to modify (a copy of) the account console showing the text fileds read-only and removing the update/save button (file account\resources\content\account-page\AccountPage.js). Of course, this will not prevent hackish user’s to update their data (it is still possible to do that via the API), but for normal user’s it may be ok.

I’m using Keycloak 19.01 and I noticed this as well (for non-federated users, in my case). I think that might have to do with the transition to the “Declarative User Profile Provider”. Even though it shows as one of the disabled features in “Realm Info”, in “Provider Info” I see “userProfile declarative-user-profile”. I assume that means that the old “Legacy User Profile Provider” that added the --spi-user-profile-legacy-user-profile-read-only-attributes argument is not active anymore.

If you have a sufficiently new version of Keycloak (e.g. 19.0.1) you can enable the “Declarative User Profile Provider” as described in the Server Administration Guide. After that you can conveniently set attributes to read-only in the GUI. The feature is still experimental and you might find bugs.

I have not managed to revive the old behaviour with --spi-user-profile-legacy-user-profile-read-only-attributes in Keycloak 19.0.1. If anyone knows how to do that, I’m all ears.

you can enable the “Declarative User Profile Provider” as described in the Server Administration Guide. After that you can conveniently set attributes to read-only in the GUI.

I did try this, and it does work for most attributes (on 19.0.2). However, even when the email attribute is set to read-only, users are still able to modify their own email address.

1 Like

docs are outdated.