[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
Bill Burke
bburke at redhat.com
Fri Jul 24 09:41:51 EDT 2015
So, setting a verify email required action allows you to replicate the
problem?
What version of Keycloak are you using? Just looking at the code from
1.3 and master we don't allow the creation of a token if a required
action is active.
On 7/24/2015 9:34 AM, Stian Thorgersen wrote:
> That's indeed a bug - can you create a jira please?
>
> ----- Original Message -----
>> From: "Lohitha Chiranjeewa" <kalc04 at gmail.com>
>> To: "keycloak-user" <keycloak-user at lists.jboss.org>
>> Sent: Friday, 24 July, 2015 1:56:10 PM
>> Subject: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
>>
>> Hi,
>>
>> We have identified that even if the user hasn't verified his email (he cannot
>> log in until it's verified), he can still invoke the 'auth/realms/{realm}
>> /tokens /grants/access' API and retrieve a valid Access Token. APIs can be
>> successfully invoked through this Access Token. This seems to be a buggy
>> scenario.
>>
>> Can anyone confirm if this is actually a bug or if this is the expected
>> behavior?
>>
>>
>> Regards,
>> Lohitha.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list