Problem
Users can currently update their email address to any value. This bypasses the security requirement that a user's email should be verified and backed by an external identity provider (OIDC).
Requirement
Implement a Validating Admission Webhook for the User resource.
The webhook must enforce the following logic during an UPDATE request:
- Validate that the new email address exists within the user's current
UserIdentities.
- Reject the update if the new email does not match any available linked identity.
- Allow the update only if a match is found.
Goals
- Ensure data integrity between
User records and external identity providers.
- Prevent manual email spoofing or unauthorized changes.
Problem
Users can currently update their email address to any value. This bypasses the security requirement that a user's email should be verified and backed by an external identity provider (OIDC).
Requirement
Implement a Validating Admission Webhook for the User resource.
The webhook must enforce the following logic during an
UPDATErequest:UserIdentities.Goals
Userrecords and external identity providers.