Open cooperlyt opened 1 year ago
Hello, it seems like update phone number
action doesnt check if such phoneNumber already assigned to another user
@cooperlyt after a bit debug.
so as far as I understood update phone number
action should un-verify another users with the same phone. Unfortunately it doesn't work at keycloak 21.0.2
would it be posiibe to configure if it should throw an error or un-verify other users ?
I will check it;
Maybe this is related to the problem:
Let's say we have this setup:
phoneNumber
user attribute in Keycloak (required by this package)I think this could also lead to severe security issue, because user's are able to change their phone numbers on their behave
Possible solution: The policy should never update a user's phone number if there already is a phoneNumber and phoneNumberVerified = true on the user and the user should not be able to change his/her phone number on login.
Another finding:
The SMS-OTP workflow fails on Configure OTP over SMS
required action if LDAP is set to READ_ONLY. For me the easiest solution would be that the required action does not (re-)set a user's phoneNumber if it is already set and verified.
now we have
update phone number
, but this required action can change phone number .