Keycloak and greenlight user profiles

[himpierre]

Hello Devs.

I'm using the keycloak authenticator right now. The keycloak backend is our ldap server. It seems the users cannot edit their usernames in greenlight anymore after the latest keycloak (3.3.6) update. Maybe an earlier release is affected too, don't know exactly. Anyways, here is my question. What could be the reason for the behaviour? Bug in greenlight or is there something which needs to be configured in keycloak or even ldap to get that back working?

cheers! t.

[fmo1]

It's not because of Keycloak and it isn't a bug of Greenlight either. It was done intentionally... its listed as improvment in in the release notes 3.3.6 I would say people have different opinions whether it makes sense or not... I don't know the exact reason behind this decision... I'm not part of the dev-team

[Ithanil]

I think in most cases deployments with external identity providers want their IDP as source of truth, i.e. the information in GL should always match what the IDP provides. That's also enforced by the setting flag "Resync User Data On Every Sign In", which is enabled per default. In that case any change that a user makes on their profile would be overridden on the next login, which is confusing to the user and thus it's better to not allow changes in the first place.

However, I think the above mentioned change in 3.3.6 would have been better if it only applied when the Resync flag is actually enabled. If you desire that behavior then I would suggest to open an issue with that exact requirement and maybe @farhatahmad can find a solution.

[himpierre]

Thanks for your answers guys!