[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email

Stian Thorgersen stian at redhat.com
Fri Jul 24 10:15:37 EDT 2015 

Tried it manually and it's not working. Users don't have to verify email in master.

One relevant question if "direct grant" flow has OTP set to optional and user has enabled otp with its account what happens?

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 24 July, 2015 4:10:44 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
> 
> Was just looking at it and can't find anything that would check it, but
> RequiredActionEmailVerificationTest which is supposed to test it is passing
> 
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Friday, 24 July, 2015 4:08:06 PM
> > Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> > despite not verifying their email
> > 
> > 
> > 
> > On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
> > >
> > >
> > > ----- Original Message -----
> > >> From: "Bill Burke" <bburke at redhat.com>
> > >> To: keycloak-user at lists.jboss.org
> > >> Sent: Friday, 24 July, 2015 3:41:51 PM
> > >> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> > >> despite not verifying their email
> > >>
> > >> So, setting a verify email required action allows you to replicate the
> > >> problem?
> > >>
> > >> What version of Keycloak are you using?  Just looking at the code from
> > >> 1.3 and master we don't allow the creation of a token if a required
> > >> action is active.
> > >
> > > The problem is that when a user logs in we check if verify email is
> > > required by the realm, if it is and user hasn't verified email we add the
> > > required action. We don't do this check in the direct grants api.
> > >
> > 
> > This check might be gone entirely now.
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list