Option to only send magic links to verified emails

[extjast]

When using magic links with self-registration enabled, there's no way to prevent magic links from being sent to unverified email addresses.

The problem

1. User registers with victim@example.com
2. Before verifying, user requests magic link
3. Magic link is sent to victim → spam

That way the OIDC can be used to send (magic link) emails to arbitrary victim email addresses.

Version: phasetwo-keycloak:26.4.5

Idea for workaround

Set up some rate limit to at least mitigate the problem, i.e., victims can only be spammed with a limited number of mail per day. However, this does not solve the core issue, because the OIDC can still be abused to send out emails.

Desired behavior

Add a config option like ext-magic-require-verified-email that checks user.isEmailVerified() before sending the magic link. If not verified, show an error instead of sending.

This would allow magic links to be used safely with open registration.

Attempt to fix

1. We added a registration flow with email verification and then require verified email for login. However PhaseTwo ignores the email_verified property and sends out magic links anyway. Keycloak then blocks login and redirects to some account management page to confirm the email address. Obviously, this does not help at all.

2. We also tried to make the magic link flow a sub flow and add a condition. Unfortunately, the Keycloak does not offer access to the email_verified user property. So this cannot be implemented at this time.

[xgp]

Thanks for the suggestion. Feel free to PR your config idea.