Keycloak actually makes it very easy now, assuming you have account-api and account2 feature flags set (default these days). You remove "manage-account" inside the "account" client from the default roles. Do mind this breaks the account console for those users (which is what you probably want anyway).

I don’t remember exactly, but I think this also took away the ability for users to manage their factors (I.e. register a new hardware token)

Did they offer some kind of verification path?

So you could only allow an email change if the user proved they owned the new email account by clicking a link or entering a code sent to that account?

Seems like a natural option.

Of course, allowing you to disallow email changes seems pretty reasonable too.

The issue if I remember correctly was that you could require the email to be verified. But while that verification was pending, it would already use the new email as the user’s asserted attribute.