How to prevent a user from updating their profile via Application Initiated Actions

I want to prevent some users from changing their profile and their password. I have removed the manage-account role from those users, so that they can no longer access their Account Management Page (https://example.com/realms/atlas/account).

I noticed though, that the user can still trigger a profile or password change by using an appropriate Application Initiated Actions link.

For example going to the following URL the user can authenticate and is prompted with a form to update their profile:

https://example.com/realms/atlas/protocol/openid-connect/auth?response_type=code&client_id=some-client&scope=openid%20profile%20email&redirect_uri=https://example.com/login/oauth2/code/oidc&kc_action=UPDATE_PROFILE

This works even if the user in question does not have the manage-account role.

Is there a way to prevent a user from updating their profile via Application Initiated Actions?

Hi,

Does disabling the required action (Admin Console, section “Authentication”, tab “Required Actions”) help? When users can change their email adress (maybe to the email adress of another user) and if you have a client that uses the email as primary user identifier (which is always a bad idea), this could be a big security problem…

Disabling the required action did indeed help. It is a bit unfortunate that this is a global setting, I was hoping for a per-user setting, but I can live with that.

As this is an action which can be triggered by a client, I think it would be helpful to have this as a per-client setting instead of globally. Or at least to connect these actions to an authentication flow…