What is the list of allowed characters for usernames in Keycloak?

1

Hello everyone,

I’m trying to determine the exact list of characters that are allowed (or disallowed) for a username in Keycloak. During my investigation, I came across the filesrc/main/java/org/keycloak/services/validation/Validation.javaand this specific line: Pattern.compile("^[\\p{IsLatin}|\\p{IsCommon}]+$")

I’m particularly curious about the \p{IsCommon}part of this regular expression. It doesn’t seem to match any standard class documented in the Java Regular Expressions API (see Pattern (Java Platform SE 8 )), and I couldn’t find a clear explanation of what it encompasses.

  1. Does \p{IsCommon}represent a Keycloak-specific extension, or does it map to a broader Unicode class? Is there an exhaustive list of characters that fall under this category?
  2. And more globally, is there an exhaustive list of allowed characters for usernames in Keycloak ? If so, is it possible to access or retrieve this list?

Thank you in advance for your insights!

2

Hi Catheline,

  1. The \p{IsCommon} construct refers to the “Common” Unicode script. Therefore, the “Latin”[1] and “Common”[2] scripts together comprise the whitelist;
  2. Keycloak 24 has introduced the User Profile feature with fine-grained, per attribute validators. It applies an additional blacklist of characters on top of the above whitelist.

That said, the resulting allowlist looks like this (let’s use Unicode :slight_smile: ):

(UnicodeLatin ∪ UnicodeCommon) ∖ UsernameProhibitedCharacters

[1] zuga .net/articles/unicode/script/latin/
[2] zuga .net/articles/unicode/script/common/

2 Likes
3

(sorry for the formatting, seems like a bug in Discourse doesn’t allow to post direct links sometimes)

1 Like
4

Hi Dimitry,

Thank you so much for your detailed and helpful explanation! I really appreciate the time you took to clarify this. No worries about the links, I was able to access them, and they were exactly what I was looking for.

Catheline