Usernames with periods are changed to underscore

(Michael Downey) #1

We use SSO from a central directory so users don’t specify their name directly.

From SSO, from time to time user names are being sent that have periods in them, e.g., firstname.lastname. However, when their user accounts are being created initially in Discourse, they are actually getting created as firstname_lastname.

This will create a problem in the event we have two users with usernames such as who’s registered, and foo_bar comes along later but his user ID is already taken.

Any idea why the periods are getting replaced with underscores? We verified that what we’re sending is accurate with the period.

/users/by-external route doesn't support external_id values with "." in them
(David Maxwell) #2

The rules are the same as twitter.

Here’s a recent discussion with that included: What are the rules for usernames?

And a decent discussion on why - no “official” responses in there, but valid points made: Why are usernames so restrictive?

(Sam Saffron) #3

This is not really a bug.

SSO coerces whatever you give it into a username that we allow, we allow no dots in usernames. Is there a reason you really want periods in usernames? There may be other fallout if we allow that like @mention matcher and other bits and pieces.

(Michael Downey) #4

Our LDAP policy allows periods, so we have quite a few users that have periods in their usernames. For consistency it’d be helpful for them to have the same username in Discourse as they do on all our other webapps. From the user’s perspective, confusion is the worst possible scenario.

We need to determine if there would be some problem if someone came along with an external_username with an underscore that would be the same as the “coerced” username which changed from a period to an underscore. Could such New User B (with underscore) get access to the account of Old User A (with period)? Hopefully not. :smile:

Based on some earlier experiences, perhaps that second Discourse account would be created as firstname_lastname1?

It seems to us that if someone is using SSO, the username policy should be able to be controlled by the directory (within reason). If there’s a good reason that Discourse can’t support periods, I suppose we’ll just deal with the confusion.

(Kane York) #5

Yeah, I’m pretty sure that’s what will happen. Access is based on the external_id.

It would involve rewriting the list of allowed URLs, I’m pretty sure, which is hard/annoying to do.

(Michael Downey) #6

Any new updates on this? (Or anyone else also coping with this problem?) We’ve got several users complaining that their user ID’s are different on our Discourse installation than on our other apps.

(Sam Saffron) #7

This is now fixed / implemented as a feature per:

(Michael Downey) #8

What happens if someone with a period signs in with SSO, but their account was already created being converted to an underscore?

(Stephen) #9

Which version of LDAP? Which implementation?

(Michael Downey) #10

We’re just hooking in to the official Discourse SSO:

(Stephen) #11

I understand that, I was asking about your directory because many also support the use of spaces in usernames.

(Michael Downey) #12

Ah, sorry. We’re using OpenLDAP, but we now block anything other than letters (upper & lower case) and numbers, no other special characters allowed. We do have a couple “legacy” users with periods still.

(Kane York) #13

The username shouldn’t change on subsequent logins.