[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email

Bill Burke bburke at redhat.com
Fri Jul 24 10:10:03 EDT 2015


Fix is simple.  I'll commit it.

On 7/24/2015 10:08 AM, Bill Burke wrote:
>
>
> On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-user at lists.jboss.org
>>> Sent: Friday, 24 July, 2015 3:41:51 PM
>>> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
>>>
>>> So, setting a verify email required action allows you to replicate the
>>> problem?
>>>
>>> What version of Keycloak are you using?  Just looking at the code from
>>> 1.3 and master we don't allow the creation of a token if a required
>>> action is active.
>>
>> The problem is that when a user logs in we check if verify email is required by the realm, if it is and user hasn't verified email we add the required action. We don't do this check in the direct grants api.
>>
>
> This check might be gone entirely now.
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list