Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them.
1. Set up a Keycloak instance with a 'customer' realm
2. Create a ‘shared’ realm where the 'customer' realm is linked as an identity provider.
3. Disable the ‘Trust email’ configuration option in the ‘shared’ realm.
4. Create a new user in the 'customer' realm and log in to the ‘shared’ realm.
5. Verify that the user is prompted to verify their email address.
6. Update the email address of the user in the customer realm and log in to the ‘shared’ realm.
7. Verify that the email address attribute is updated but remains verified.