Hi @djotanov and thank you for your feedback! This would not most probably affect existing realms. However, we might hit validation issues when modifying such Realm.

@DGuhr Realm renaming was always a bit buggy. This will have to be properly tested.

Realm updates is what I am talking about. We have automated process of realm upgrades, where we update realm JSON, then export old realm with users, replace old realm JSON with updated one, and reimport it back with overwrite. I'm sure many keycloak users are doing that, as there is no better way to do it at the moment (this might be simpler in the future with new store).
This process will be broken (actually already is broken in newer keycloak versions) if you decide not to support whitespaces any more

That's a good point. However, as far as I can tell, we never supported whitespaces properly. It is broken at multiple places (incl. token verification as Dominik stated). The suggestion is to improve the UX around it to make it clear whitespaces are not supported.

ok, so it is pretty clear that we do not want to support this, makes total sense from my side, I just did not want to bias anyone by putting my opinion out first.

@mposolda actually there is already a regression to older keycloak versions it seems, so a deprecation would not bring much imo, as it is unusable as is. See this video: https://youtu.be/3OhurnqPsLk

Even when you set the encoded whitespace manually, it does not work to access the account console ootb, or am I missing something? @djotanov mentions here, that it works for him. This seems a bit weird for me, as the video shows it does not, so -i guess I am missing sth here. If not, it is just broken imo, and even some checks are in place to avoid adding whitespaces when creating a client (see video), just not the check for when we create / import a realm. So if I dont miss sth we don't need to deprecate it, but could just add the proper validation to the appropriate points. wdyt?

see also e.g. stians answer here: #5375 (comment) and pedros answer here and his referenced JIRA tickets: #11921 (comment) - imo we should just remove the capability to create realms with whitespaces in it by adding proper validation, but I am fine when someone tells me we have to deprecate it first, I just need to know what I did wrong, because it seems completely broken to me, so no need to deprecate a broken feature ;)

@DGuhr I've just tried to create keycloak realm called "foo bar" and it works fine. I am not able to login to account console by default, but after changing "Valid redirect URL" of the account-console client to /realms/* it works fine and I am able to login to the account console. Also people may not use account console at all and their clients can still work.

That is why I propose the "deprecation period" to be on the safe side regarding backwards compatibility.

+1 for deprecation. We are currently able to upgrade our realm with whitespace to the latest keycloak version, and everything works fine (we don't use account pages).

@mposolda @djotanov thanks for clarifying, then i'd also say we need a deprecation period. Forgot about the wildcards, also it seems to work under some circumstances, so perhaps "account" console is not the best example.

So @keycloak/kc-developers @keycloak/kc-maintainers question is how to proceed:

• assumption: It is clear we want to deprecate it.
• assumption: It is clear we want to use the existing validation in the server-spi-private package.
• fact: this change is not really quarkus/operator related, just evolved out of the referenced bug, and tbh I don't know yet all the places i'd have to touch (admin-ui old, admin-ui new, where to put the deprecated flag?, ...)
• fact: this change also needs to be communicated, targeted for a major version (imo: 19), added to migration guide, etc
• Question: Anyone up for it? I'd do this and ask more concrete questions when I'm on it, but I'll be away the following week and as stated before may be not the best fit ;) (I'm still up for it if noone chimes in, don't get me wrong)

I believe that replacing whitespaces with underscores by default is not a way to go. I can imagine situations where caller could be surprised by this replacement. I think there should be rather validation done during the creation of the realm.

Good point. I think the Realm name and ID is the same thing in most cases. AFAIK we don't use UUID for Realm IDs(?).

If I am not mistaken (@sguilhen could you please confirm), starting with #10901 we use UUIDs in the new storage JPA implementation.

Realm names could be used in the URLs as long as they are unique - which should be the case - and as long as the lookup is done by realm name - which is the case (see

That said, no format of ID is guaranteed in the store - ID is store's responsibility, and store gives no guarantee apart from that it can be converted to and from String.

I think this is the answer to the question whether we should use IDs in the URLs. Since the IDs generation depends on the store implementation, we should use something more consistent – i.e. keep using the name.

Actually update of realm name through the UI works as expected in latest version of keycloak, so that's fine