It seems possible to get an access to another user's account because the plugin doesn't check verified flag provided by Discord. The procedure is as follows
Keycloak instance is installed, keycloak-discord plugin is added, the "Trust Email" option is off;
a user with known email already exists with and email is verified;
someone creates a new Discord account with the unverified email of the user mentioned above and uses it to log in to Keycloak;
the plugin trusts the email provided by Discord and merges the Discord login with the existing user;
the malicious person is authenticated as the user.
It seems possible to get an access to another user's account because the plugin doesn't check
verified
flag provided by Discord. The procedure is as followsCan you verify the information above please?