Keycloak 22.0.1 unable to create user with long email address

[tangtang95]

Before reporting an issue

• I have searched existing issues
• I have reproduced the issue with the latest nightly release

Area

admin/api

Describe the bug

With the latest nightly release, it is no more possible to create a user with email longer than 75 characters. Moreover in 22.0.1, the limit seems to be at 87 characters.

Meanwhile in the old version 21.1.2, it is still possible to create a user with an email longer than 87 characters.

This happens both via REST API users and on the admin UI:

Version

22.0.1

Expected behavior

Still able to create user with more than 87 characters in the email like in 21.1.2. Not sure what was the limit before.

Actual behavior

Unable to create user with more than 87 characters in the email.

How to Reproduce?

• Run keycloak server
• Login and go to user section
• Try to create user with email address longer than 87 characters in 22.0.1 (or longer than 75 in nightly release)

Anything else?

No response

[kaustubh-rh]

Hi @mposolda , the above-mentioned issue is reproducible , do we have to set the limit to 87 characters ?

[mposolda]

It will be good to make sure that long email address still works similarly like it was before. Hence marking this as regression and adding to 22.0.3 for now.

I think this is related to some recent changes in email validation, which might cause this issue.

@kaustubh-rh do you want to investigate this issue and work on it? If yes, feel free to comment here and send the PR for it. It would be welcome.

[kaustubh-rh]

@mposolda yes ,will raise a PR for the same. Thanks :)

[pedro-hos]

Hi @kaustubh-rh and @mposolda, just a heads up, the following line limiting the character size:

keycloak/server-spi-private/src/main/java/org/keycloak/utils/EmailValidationUtil.java

Line 10 in c92d10c

private static final int MAX_LOCAL_PART_LENGTH = 64;

was added on PR #21131 (issue #20878). I guess that this validation is related to RFC-3696 that limits the local part in 64 characters:

In addition to restrictions on syntax, there is a length limit on
email addresses. That limit is a maximum of 64 characters (octets)
in the "local part" (before the "@") and a maximum of 255 characters
(octets) in the domain part (after the "@") for a total length of 320
characters. Systems that handle email should be prepared to process
addresses which are that long, even though they are rarely
encountered.

So, if we'll accept more than 64 characters, we just need to change the:

keycloak/server-spi-private/src/main/java/org/keycloak/utils/EmailValidationUtil.java

Line 10 in c92d10c

private static final int MAX_LOCAL_PART_LENGTH = 64;

I don't know what is better, keep the limit, or increase the value.

[mposolda]

@pedro-hos Thanks for investigation of this! Is it possible to keep 64 characters by default, but allow bigger value in the configuration? Maybe some new option of the user profile provider (See for example here https://www.keycloak.org/docs/latest/server_admin/index.html#_read_only_user_attributes for some other configuration option added to this profile). So maybe something like --spi-user-profile-declarative-user-profile-max-email-local-part-length=64 . The default value can be 64 when not filled. Not 100% sure if we need the same also for domain? I would say not as the length limit for the domain is well-known.

Will be also good to document this in the migration guide. Can you please document it to the existing changes-22_0_2.adoc file with the note that we recently added the limit for 64, but for backwards compatibility, people can update it if needed?

[kaustubh-rh]

Hi @mposolda @pedro-hos , thanks for clarification. It looks to be good idea to add spi-user-profile-declarative-user-profile-max-email-local-part-length in the configuration. @pedro-hos , can I raise a PR for the same ?

[ov-developer]

I don´t think this is fixed. The validation does also seem to validate the domain-part.
If I try to create a user with the following domain-part it fails saving:
@this-is-a-domain-part-of-an-email-exceeding-64-characters-and-therefore-fails.com
If I shorten it to 64 characters before the .com it works again.

The previously cited RFC says 255 characters in the domain part should be fine.