Stealth mode non-flow-based (discontinued) Stealth mode in non-flow-based self-registration API (discontinued)

This document is only about the non-flow-based user self-registration REST API. Please note, that this interface will be removed in future IAM versions.

Please use the flow-based 17.2.3. User self-registration REST API instead.

The REST API for User Registration Self-Services in the Loginapp accepts usernames chosen by the client in self-registration requests. The username is sent as the 'id' field in the registration request. Depending on the configuration usernames are a mandatory or an optional element of self-registration requests. If the username is an optional element and no username is provided in a self-registration request, IAM generates a unique username.

To preserve the uniqueness of usernames, self-registration requests containing a username that already exists in the IAM user store are rejected. Additionally, the configuration of the User Registration Self-Service REST API ("User Self Registration REST Config") supports the definition of a set of alias attributes ("Alias Attribute Names"), i.e., a set of user context data attributes that could potentially be used as aliases for the username. Since these aliases must be unique as well, IAM checks the provided username and all provided alias attributes in a self-registration request for uniqueness against all existing entries in the union of the username column and all "Alias Attribute Names" columns in the IAM user store.

Self-registration requests that violate this uniqueness check have no effect, i.e., no user with the provided user data is created.


If a client of the User Registration Self-Service REST API learns the result of the above-described uniqueness check, the client can learn information about existing user data records. A potential attacker could use this information for the enumeration of usernames and aliases, i.e., to collect a set of valid usernames and aliases.