Username validation

I noticed keycloak will let you register with any username yet when you go to update a user profile from the system console, you can get an error about invalid characters in the username: “Error: Missing or invalid field(s) Please verify the fields in red”. Looking at the source code, the only username validation I see is in the validate method in the RegistrationUserCreation class, but all it appears to be checking for is whether or not the username already exists.

Is this intentional or am I missing something? What are considered valid usernames for keycloak? There’s obviously some validation being done from the system admin console. Has anyone written some basic validation to make sure the username conforms to whatever keycloak actually accepts?

The easiest i would suggest is to set „use email as username“. Then the username field becomes readonly and is set to email.

Email is a nice standard and also unique.


We had the same issue with editing keycloak users. Our IDP creates the users in keycloak, but then we were not able to edit the users in the keycloak console because of a special character that is not allowed in the UI. There is nothing limiting the character (’/’ in our case) within any other logic, just the angular UI. For your reference, the ui has the following:


Basically, none of the following characters <, >, \, or /.

This work great for user self registration, but it fails short for an admin creating a user.

I’m looking for backend validation that would then apply to both registration and admin user creation, but couldn’t find a clear instruction in the doc.

I guess I have to write an SPI, but the doc doesn’t explicitly says that there is an SPI for such a case. We’ll dig a bit more and report here if we find things :slight_smile:

Hi Pierre

Did you get any further with this? We have the same issue with the platform we’re building - we want users to select (and potentially update) a username which primarily acts as a handle for our chat service. We could do client-side validation, but hooking into the server via an SPI seems more robust.

I’d be happy to collaborate on this!


1 Like

An SPI would have been better indeed :slight_smile:

1 Like

So, this seems promising for my needs at least - I’ll keep you posted…