Keycloak shortcomings
This issue serves to track Keycloak shortcomings that we've found.
- Email-squatting is possible as users can change their email to any random other email which allows you to block emails. This is not a security issue but it's pretty annoying. https://issues.redhat.com/browse/KEYCLOAK-6455
No audit logs. These exist but we have to set them up properly: https://www.keycloak.org/docs/latest/server_admin/#auditing-and-eventsDoesn't allow multiple OTP devices. https://issues.redhat.com/browse/KEYCLOAK-14297Users can't add WebAuthn providers in the account management page. https://issues.redhat.com/browse/KEYCLOAK-14298- Users should be forced to an OTP before removing an OTP device. https://issues.redhat.com/browse/KEYCLOAK-14296
- Allow users to have multiple emails. https://issues.redhat.com/browse/KEYCLOAK-14295
Check that "forgot password" via email does not reset MFA which makes MFA basically useless #112 (closed)- Not being able to set your default OTP/Security key https://issues.redhat.com/browse/KEYCLOAK-18957
Edited by Jelle van der Waa