## Technical Details

Product: keycloak

Product Version: 23.0.5 (Latest release)


Platform: Linux (podman - in prod config)

### Summary:

In any realm set with "User (Self) registration" a user that is
registered with a username in email format can be "locked out"
(denied from logging in) using his username.

### Impact:

A successful exploit of the issue will prevent the specific user
from logging in to his account using his username.

### Steps to reproduce: (see the attached demo)

1. Assuming a realm is configured for "User registration"

1.1 Note: The "Verify email" and "Forgot password" settings can be
activated.

2. Set up a client in the relevant Realm.

3. Register a user to the realm (using a username in an email
format, the username and email should different)

3.1 Note: This scenario can also happen if a user changes his
email at some point in time.

3.2 We will refer to this user as the victim.

3.3 Verify the user email (using the received email)

4. Login using the username and password.

4.1 Note: so far, all good.

5. Register a new user - set the attacker email address as the
previous username (victim) (can use any username).

5.1 Assumption 2: The attacker obtained the victim's username.

5.2         Note: the attacker does not need access to the email,
even when the "Verify email" option is set.

6. At this point the victim cannot access his account using his
username.

6.1 Note: in the case where the "Forgot password" flow is set, the
user can "log in" using that flow (once)

6.2 The victim cannot log in using his username (even after a
password reset).

6.3 The victim can log in using his (registered) email.