Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.cluster.RealmInvalidationClusterTest#crudWithFailover

Keycloak CI - Store IT (mysql)

java.lang.RuntimeException: java.lang.IllegalStateException: Keycloak unexpectedly died :(
	at org.keycloak.testsuite.arquillian.containers.KeycloakQuarkusServerDeployableContainer.start(KeycloakQuarkusServerDeployableContainer.java:71)
	at org.jboss.arquillian.container.impl.ContainerImpl.start(ContainerImpl.java:185)
	at org.jboss.arquillian.container.impl.client.container.ContainerLifecycleController$8.perform(ContainerLifecycleController.java:137)
	at org.jboss.arquillian.container.impl.client.container.ContainerLifecycleController$8.perform(ContainerLifecycleController.java:133)
...

Report flaky test

This gets a +1 from me. I am personally not sure about the option to revert to the current behavior in point 1 above. I would rather always have the username AND email change validations always in place.

Thanks @sguilhen! Yes, I'm not sure either about adding the previous behavior. I just did it because maybe somebody is using only email to link users, and this way they can revert to previous behavior. Let's wait for @pedroigor and we have three votes.

It makes more sense to remove both new options. As @rmartinc mentioned, in a scenario where a legitimate user is trying to link an account from an IdP where the email/username is different, it is still possible to finish the linking by re-authenticating. And this mechanism is much better/secure than allowing sending arbitrary e-mails and eventually taking over accounts.

Perhaps the last thing to add is a release and upgrade guide note about this new behavior.

FTR, this is also related to #25575. Ideally, we should control the behavior of user attributes through user profile. Preventing users from changing emails when being federated from an IdP is a valid use case and could also help as an extra security layer to prevent such issues.

But regardless, we need to prevent sending verification emails when username/email changes in favor of using the user credentials.

OK, I have done the changes we have been talking about:

• There is no new options for the authenticators. The email validator never sends emails if the email/username is changed during review (so previous wrong behavior is not allowed anymore). This step is only available when the username/email received from IdP is used.
• The review button is not displayed if the idp review authenticator was not successfully executed. This avoids the option too.
• The emails and the confirming page of the email verification have been changed a bit. IMHO the email was quite good and just added a sentence saying if you didn't initiate this process... The confirming page was modified more to differentiate title and body, and adding a message similar to the email for the body.
• A upgrading note was added as a notable change commenting the changes.

Let's see the tests but they worked OK for me in another branch.

@rmartinc @pedroigor @sguilhen Thanks for this PR and for reviewing it!

Fantastic news! Thanks a million for creating the PR and reviewing it folks!