[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email

Stian Thorgersen stian at redhat.com
Fri Jul 24 09:59:01 EDT 2015



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 24 July, 2015 3:41:51 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
> 
> So, setting a verify email required action allows you to replicate the
> problem?
> 
> What version of Keycloak are you using?  Just looking at the code from
> 1.3 and master we don't allow the creation of a token if a required
> action is active.

The problem is that when a user logs in we check if verify email is required by the realm, if it is and user hasn't verified email we add the required action. We don't do this check in the direct grants api.

> 
> On 7/24/2015 9:34 AM, Stian Thorgersen wrote:
> > That's indeed a bug - can you create a jira please?
> >
> > ----- Original Message -----
> >> From: "Lohitha Chiranjeewa" <kalc04 at gmail.com>
> >> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> >> Sent: Friday, 24 July, 2015 1:56:10 PM
> >> Subject: [keycloak-user] Users able to retrieve a valid Access Token
> >> despite not verifying their email
> >>
> >> Hi,
> >>
> >> We have identified that even if the user hasn't verified his email (he
> >> cannot
> >> log in until it's verified), he can still invoke the 'auth/realms/{realm}
> >> /tokens /grants/access' API and retrieve a valid Access Token. APIs can be
> >> successfully invoked through this Access Token. This seems to be a buggy
> >> scenario.
> >>
> >> Can anyone confirm if this is actually a bug or if this is the expected
> >> behavior?
> >>
> >>
> >> Regards,
> >> Lohitha.
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


More information about the keycloak-user mailing list