[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
bburke at redhat.com
Sat Jul 25 12:46:36 EDT 2015
On 7/24/2015 10:15 AM, Stian Thorgersen wrote:
> Tried it manually and it's not working. Users don't have to verify email in master.
Ok, I added a test and it is passing. Can you verify I'm doing the
right checks? If I'm testing this right, I'll close the bug.
> One relevant question if "direct grant" flow has OTP set to optional and user has enabled otp with its account what happens?
If the user has OTP set up, then direct grant flow will expect it. If
it is not there, it will send an error message.
BruteForceTest.testGrantMissingOtp() tests this.
JBoss, a division of Red Hat
More information about the keycloak-user