[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
Bill Burke
bburke at redhat.com
Sat Jul 25 12:46:36 EDT 2015
On 7/24/2015 10:15 AM, Stian Thorgersen wrote:
> Tried it manually and it's not working. Users don't have to verify email in master.
>
Ok, I added a test and it is passing. Can you verify I'm doing the
right checks? If I'm testing this right, I'll close the bug.
ResourceOwnerPasswordCredentialsGrantTest.grantAccessTokenVerifyEmail()
> One relevant question if "direct grant" flow has OTP set to optional and user has enabled otp with its account what happens?
>
If the user has OTP set up, then direct grant flow will expect it. If
it is not there, it will send an error message.
BruteForceTest.testGrantMissingOtp() tests this.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list