Suppose we have a situation where a user creates an account with a random email which he doesn’t own. He then realizes that he needs to verify this email and then leave the page.
The problem is that keycloak has already created the account (with a required action “verify_email”). Now, if the true owner of the email would like to register, he will have to deal with the data enterred by the previous user (with some which can’t be changed like the username).
My question :
I would like to know if there’s a possibility to protect us against malicious users who may spam the registration process with wrong data (email, username…), making them unavailable to other potential users.
For example If the newly created user has not verified his email within 60min, then the account is deleted and the data (email, username…) are available again. If he clicks on the expired link, he will be invited to create another account.
Yes, but Keycloak should have layers of security such as AD DC, With the proper GPO’s, this would be advisable. Second, for best practices I would not let anyone create a user account World-wide, meaning if I can create a count to your Keycloak server( i.e., using your URL). I have past most of your security.
Depending on how Keycloak is setup, You can create a firewall policy to only allow specific IP Address to connect 80/443. You can also monitor the connection to Keycloak.
