The docs on account linking warn that autolinking is dangerous on sites that allow users to sign up with arbitrary usernames and email addresses. Is that only the case if usernames and email addresses are separate, or is it also true if your realm uses email addresses as usernames?
With separate usernames and email addresses, especially if email verification isn’t required, I can see the security issue: you could create an account with a different username but the same email address as a user who logs in with, say, their Google account using the Google IdP. But with email-as-username plus mandatory email verification, I haven’t been able to figure out a viable attack: you can only complete the registration process if you can read the verification email, and you can’t do that without already having access to the target’s Google account, at which point you’d be able to masquerade as them even without autolinking.
But I am not a security expert like you fine folks! Am I missing a vulnerability that makes autolinking a bad idea even in an email-as-username setup with email verification required?