Menu
▾
▴
Re: [Unity-idm-discuss] Feature request: case-insensitive userNames
|
From: Krzysztof B. <kb...@un...> - 2020-03-25 09:14:19
|
W dniu 24.03.2020 o 17:08, D Baum pisze: > Hi! > > just found that on my unity instance I can register as separate entities > with userNames "dbaum", "DBaum", "DbAuM", etc. > > In itself, I find this a little confusing for the moderators/admins > (remembering that DBaum and dbaum can be different people). > > However, my unity clients don't all take capitalisation into account > when retrieving user data (see, e.g. > https://stackoverflow.com/questions/44821863/spring-boot-security-consider-case-insensitive-username-check-for-login/) > > I realise that this could be exploited to hijack a user's account if you > know the username, by registering the same username with different > capitalisation in unity and then logging into the client. > > Now, I've fixed this on the client side for my setup (where it should be > fixed). But can I ask that you consider adding a feature where users are > prevented from registering entities with usernames that differ from > existing ones only in capitalisation? Just to clarify: we won't be able to just change the matching, what is technically trivial but may break many things: PAM based authN for instance or existing databases where there are already multiple usernames differing only with case. So this will be either a new identity type or an config option for username identity type. KB |
