[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email

Bill Burke bburke at redhat.com
Sat Jul 25 12:46:36 EDT 2015

On 7/24/2015 10:15 AM, Stian Thorgersen wrote:
> Tried it manually and it's not working. Users don't have to verify email in master.

Ok, I added a test and it is passing.  Can you verify I'm doing the 
right checks?  If I'm testing this right, I'll close the bug.


> One relevant question if "direct grant" flow has OTP set to optional and user has enabled otp with its account what happens?

If the user has OTP set up, then direct grant flow will expect it.  If 
it is not there, it will send an error message.

BruteForceTest.testGrantMissingOtp() tests this.

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list