Fedora Account System
Red Hat Associate
Red Hat Customer
A flaw was found in the OIDC broker component of Keycloak, which manages authentication through external identity providers. When Keycloak is configured to trust the email addresses provided by an external provider, it incorrectly applies the "email verified" status from one part of the login process (the ID token) to an email address found in another part (the user information endpoint). This could allow a malicious or compromised identity provider to falsely mark any email address as "verified" within Keycloak, potentially leading to unauthorized account access or incorrect user data validation.