Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-18694

Registration handler and account console endpoint permits users to un-set their email address or bypass the "Verify email" realm setting

    XMLWordPrintable

Details

    • Bug
    • Status: Pull Request Sent
    • Major
    • Resolution: Unresolved
    • 14.0.0
    • None
    • Account - REST API, Authentication
    • None
    • This issue is security relevant
    • Hide
      1. Set up a realm that accepts both username and email
      2. Register a new user without filling out the email field
      3. See that the request is rejected
      4. Delete the email field with your browser's html element picker and try again
      5. See that you have created a user with no email

      You should be able to follow a similar process when using the account console

      Show
      Set up a realm that accepts both username and email Register a new user without filling out the email field See that the request is rejected Delete the email field with your browser's html element picker and try again See that you have created a user with no email You should be able to follow a similar process when using the account console
    • NEW
    • NEW

    Description

      It appears that the system does not permit a user to not have an email address. If you attempt to self-service register an account with no email, it will return an error stating that the email is required. This behavior is also present in the account console.

      However, if you tamper with the HTTP request to omit the email field entirely (e.g. delete the input tag for it via the browser's dev tools, or craft a special network request) it will accept the request and un-set the user's email. This works regardless of whether or not the email attribute is set to required or read-only in the Declarative User Profile feature. This does not work, however, if "email as username" is enabled.

      Update: I am marking this as a security issue; I have just discovered it allows a user to bypass the "Verify email" realm setting.

      Attachments

        Activity

          People

            Unassigned Unassigned
            wweber@wesweber.com Wes Weber (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: