I need to create authentication validation and I need to decide what characters we will allow to in username. For now I think:
Is there a problem with using underscore (_) and dash (-)?
Or it should be avoided to allow users to use such characters?
If yes, why?
Everything depends where would you like to use this username later, how sent and have it easly readable during transfering and storing.
In my opinion following characters
._-0-9a-zA-Z are good because make username clear. It is easy later even to use username in request parameter
?username=my-user-name for rows filtering/searching and link is very clear.
Only one additional limitation I would like to add is to do not let for any user to create login that starts, ends or contains in direct sibling following characters
If you want to integrate it with some service like gmail I recommend to look at google documentations.