[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email

Stian Thorgersen stian at redhat.com
Fri Jul 24 10:10:44 EDT 2015


Was just looking at it and can't find anything that would check it, but RequiredActionEmailVerificationTest which is supposed to test it is passing

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 24 July, 2015 4:08:06 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
> 
> 
> 
> On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Friday, 24 July, 2015 3:41:51 PM
> >> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> >> despite not verifying their email
> >>
> >> So, setting a verify email required action allows you to replicate the
> >> problem?
> >>
> >> What version of Keycloak are you using?  Just looking at the code from
> >> 1.3 and master we don't allow the creation of a token if a required
> >> action is active.
> >
> > The problem is that when a user logs in we check if verify email is
> > required by the realm, if it is and user hasn't verified email we add the
> > required action. We don't do this check in the direct grants api.
> >
> 
> This check might be gone entirely now.
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-user mailing list