[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
Stian Thorgersen
stian at redhat.com
Fri Jul 24 10:17:45 EDT 2015
The test only checks if new users have to verify email, not that existing users have to verify email. Added https://issues.jboss.org/browse/KEYCLOAK-1696
----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 24 July, 2015 4:10:44 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
>
> Was just looking at it and can't find anything that would check it, but
> RequiredActionEmailVerificationTest which is supposed to test it is passing
>
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Friday, 24 July, 2015 4:08:06 PM
> > Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> > despite not verifying their email
> >
> >
> >
> > On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
> > >
> > >
> > > ----- Original Message -----
> > >> From: "Bill Burke" <bburke at redhat.com>
> > >> To: keycloak-user at lists.jboss.org
> > >> Sent: Friday, 24 July, 2015 3:41:51 PM
> > >> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> > >> despite not verifying their email
> > >>
> > >> So, setting a verify email required action allows you to replicate the
> > >> problem?
> > >>
> > >> What version of Keycloak are you using? Just looking at the code from
> > >> 1.3 and master we don't allow the creation of a token if a required
> > >> action is active.
> > >
> > > The problem is that when a user logs in we check if verify email is
> > > required by the realm, if it is and user hasn't verified email we add the
> > > required action. We don't do this check in the direct grants api.
> > >
> >
> > This check might be gone entirely now.
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list