[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
Bill Burke
bburke at redhat.com
Fri Jul 24 10:08:06 EDT 2015
On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Friday, 24 July, 2015 3:41:51 PM
>> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
>>
>> So, setting a verify email required action allows you to replicate the
>> problem?
>>
>> What version of Keycloak are you using? Just looking at the code from
>> 1.3 and master we don't allow the creation of a token if a required
>> action is active.
>
> The problem is that when a user logs in we check if verify email is required by the realm, if it is and user hasn't verified email we add the required action. We don't do this check in the direct grants api.
>
This check might be gone entirely now.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list