6:56 a.m.
Hi,
We have identified that even if the user hasn't verified his email (he
cannot log in until it's verified), he can still invoke the
'auth/realms/{realm}/tokens/grants/access' API and retrieve a valid Access
Token. APIs can be successfully invoked through this Access Token. This
seems to be a buggy scenario.
Can anyone confirm if this is actually a bug or if this is the expected
behavior?
Regards,
Lohitha.
8:34 a.m.
That's indeed a bug - can you create a jira please?
----- Original Message -----
From: "Lohitha Chiranjeewa" <kalc04(a)gmail.com>
To: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Friday, 24 July, 2015 1:56:10 PM
Subject: [keycloak-user] Users able to retrieve a valid Access Token despite not
verifying their email
Hi,
We have identified that even if the user hasn't verified his email (he cannot
log in until it's verified), he can still invoke the 'auth/realms/{realm}
/tokens /grants/access' API and retrieve a valid Access Token. APIs can be
successfully invoked through this Access Token. This seems to be a buggy
scenario.
Can anyone confirm if this is actually a bug or if this is the expected
behavior?
Regards,
Lohitha.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:41 a.m.
So, setting a verify email required action allows you to replicate the
problem?
What version of Keycloak are you using? Just looking at the code from
1.3 and master we don't allow the creation of a token if a required
action is active.
On 7/24/2015 9:34 AM, Stian Thorgersen wrote:
That's indeed a bug - can you create a jira please?
----- Original Message -----
> From: "Lohitha Chiranjeewa" <kalc04(a)gmail.com>
> To: "keycloak-user" <keycloak-user(a)lists.jboss.org>
> Sent: Friday, 24 July, 2015 1:56:10 PM
> Subject: [keycloak-user] Users able to retrieve a valid Access Token despite not
verifying their email
>
> Hi,
>
> We have identified that even if the user hasn't verified his email (he cannot
> log in until it's verified), he can still invoke the 'auth/realms/{realm}
> /tokens /grants/access' API and retrieve a valid Access Token. APIs can be
> successfully invoked through this Access Token. This seems to be a buggy
> scenario.
>
> Can anyone confirm if this is actually a bug or if this is the expected
> behavior?
>
>
> Regards,
> Lohitha.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:59 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Friday, 24 July, 2015 3:41:51 PM
Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not
verifying their email
So, setting a verify email required action allows you to replicate the
problem?
What version of Keycloak are you using? Just looking at the code from
1.3 and master we don't allow the creation of a token if a required
action is active.
The problem is that when a user logs in we check if verify email is required by the realm,
if it is and user hasn't verified email we add the required action. We don't do
this check in the direct grants api.
On 7/24/2015 9:34 AM, Stian Thorgersen wrote:
> That's indeed a bug - can you create a jira please?
>
> ----- Original Message -----
>> From: "Lohitha Chiranjeewa" <kalc04(a)gmail.com>
>> To: "keycloak-user" <keycloak-user(a)lists.jboss.org>
>> Sent: Friday, 24 July, 2015 1:56:10 PM
>> Subject: [keycloak-user] Users able to retrieve a valid Access Token
>> despite not verifying their email
>>
>> Hi,
>>
>> We have identified that even if the user hasn't verified his email (he
>> cannot
>> log in until it's verified), he can still invoke the
'auth/realms/{realm}
>> /tokens /grants/access' API and retrieve a valid Access Token. APIs can be
>> successfully invoked through this Access Token. This seems to be a buggy
>> scenario.
>>
>> Can anyone confirm if this is actually a bug or if this is the expected
>> behavior?
>>
>>
>> Regards,
>> Lohitha.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:08 a.m.
On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Friday, 24 July, 2015 3:41:51 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not
verifying their email
>
> So, setting a verify email required action allows you to replicate the
> problem?
>
> What version of Keycloak are you using? Just looking at the code from
> 1.3 and master we don't allow the creation of a token if a required
> action is active.
The problem is that when a user logs in we check if verify email is required by the
realm, if it is and user hasn't verified email we add the required action. We
don't do this check in the direct grants api.
This check might be gone entirely now.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:10 a.m.
Fix is simple. I'll commit it.
On 7/24/2015 10:08 AM, Bill Burke wrote:
On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-user(a)lists.jboss.org
>> Sent: Friday, 24 July, 2015 3:41:51 PM
>> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite
not verifying their email
>>
>> So, setting a verify email required action allows you to replicate the
>> problem?
>>
>> What version of Keycloak are you using? Just looking at the code from
>> 1.3 and master we don't allow the creation of a token if a required
>> action is active.
>
> The problem is that when a user logs in we check if verify email is required by the
realm, if it is and user hasn't verified email we add the required action. We
don't do this check in the direct grants api.
>
This check might be gone entirely now.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:10 a.m.
Was just looking at it and can't find anything that would check it, but
RequiredActionEmailVerificationTest which is supposed to test it is passing
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Friday, 24 July, 2015 4:08:06 PM
Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not
verifying their email
On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-user(a)lists.jboss.org
>> Sent: Friday, 24 July, 2015 3:41:51 PM
>> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
>> despite not verifying their email
>>
>> So, setting a verify email required action allows you to replicate the
>> problem?
>>
>> What version of Keycloak are you using? Just looking at the code from
>> 1.3 and master we don't allow the creation of a token if a required
>> action is active.
>
> The problem is that when a user logs in we check if verify email is
> required by the realm, if it is and user hasn't verified email we add the
> required action. We don't do this check in the direct grants api.
>
This check might be gone entirely now.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:15 a.m.
Tried it manually and it's not working. Users don't have to verify email in
master.
One relevant question if "direct grant" flow has OTP set to optional and user
has enabled otp with its account what happens?
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Friday, 24 July, 2015 4:10:44 PM
Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not
verifying their email
Was just looking at it and can't find anything that would check it, but
RequiredActionEmailVerificationTest which is supposed to test it is passing
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Friday, 24 July, 2015 4:08:06 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> despite not verifying their email
>
>
>
> On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke(a)redhat.com>
> >> To: keycloak-user(a)lists.jboss.org
> >> Sent: Friday, 24 July, 2015 3:41:51 PM
> >> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> >> despite not verifying their email
> >>
> >> So, setting a verify email required action allows you to replicate the
> >> problem?
> >>
> >> What version of Keycloak are you using? Just looking at the code from
> >> 1.3 and master we don't allow the creation of a token if a required
> >> action is active.
> >
> > The problem is that when a user logs in we check if verify email is
> > required by the realm, if it is and user hasn't verified email we add the
> > required action. We don't do this check in the direct grants api.
> >
>
> This check might be gone entirely now.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:46 a.m.
On 7/24/2015 10:15 AM, Stian Thorgersen wrote:
Tried it manually and it's not working. Users don't have to
verify email in master.
Ok, I added a test and it is passing. Can you verify I'm doing the
right checks? If I'm testing this right, I'll close the bug.
ResourceOwnerPasswordCredentialsGrantTest.grantAccessTokenVerifyEmail()
One relevant question if "direct grant" flow has OTP set to
optional and user has enabled otp with its account what happens?
If the user has OTP set up, then direct grant flow will expect it. If
it is not there, it will send an error message.
BruteForceTest.testGrantMissingOtp() tests this.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12:46 a.m.
Looks good
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Saturday, 25 July, 2015 6:46:36 PM
Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not
verifying their email
On 7/24/2015 10:15 AM, Stian Thorgersen wrote:
> Tried it manually and it's not working. Users don't have to verify email in
> master.
>
Ok, I added a test and it is passing. Can you verify I'm doing the
right checks? If I'm testing this right, I'll close the bug.
ResourceOwnerPasswordCredentialsGrantTest.grantAccessTokenVerifyEmail()
> One relevant question if "direct grant" flow has OTP set to optional and
> user has enabled otp with its account what happens?
>
If the user has OTP set up, then direct grant flow will expect it. If
it is not there, it will send an error message.
BruteForceTest.testGrantMissingOtp() tests this.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:17 a.m.
The test only checks if new users have to verify email, not that existing users have to
verify email. Added https://issues.jboss.org/browse/KEYCLOAK-1696
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Friday, 24 July, 2015 4:10:44 PM
Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not
verifying their email
Was just looking at it and can't find anything that would check it, but
RequiredActionEmailVerificationTest which is supposed to test it is passing
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Friday, 24 July, 2015 4:08:06 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> despite not verifying their email
>
>
>
> On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke(a)redhat.com>
> >> To: keycloak-user(a)lists.jboss.org
> >> Sent: Friday, 24 July, 2015 3:41:51 PM
> >> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> >> despite not verifying their email
> >>
> >> So, setting a verify email required action allows you to replicate the
> >> problem?
> >>
> >> What version of Keycloak are you using? Just looking at the code from
> >> 1.3 and master we don't allow the creation of a token if a required
> >> action is active.
> >
> > The problem is that when a user logs in we check if verify email is
> > required by the realm, if it is and user hasn't verified email we add the
> > required action. We don't do this check in the direct grants api.
> >
>
> This check might be gone entirely now.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:03 a.m.
We're using 1.2.0.Final, and we're running our tests on a separate realm as
our master realm is reserved for admin tasks only. Not sure if the behavior
changes from master to other realms.
In 1.2.0.Final version, both new and existing users have to verify their
emails once the feature is turned on. Maybe it's broken in the newer
version.
Stian, will the ticket created by you (KEYCLOAK-1696) capture the initial
bug mentioned by me as well? Or do I have to report a separate ticket for
that?
Thanks,
Lohitha.
On Fri, Jul 24, 2015 at 7:47 PM, Stian Thorgersen <stian(a)redhat.com> wrote:
The test only checks if new users have to verify email, not that
existing
users have to verify email. Added
https://issues.jboss.org/browse/KEYCLOAK-1696
----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Friday, 24 July, 2015 4:10:44 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
despite not verifying their email
>
> Was just looking at it and can't find anything that would check it, but
> RequiredActionEmailVerificationTest which is supposed to test it is
passing
>
> ----- Original Message -----
> > From: "Bill Burke" <bburke(a)redhat.com>
> > To: "Stian Thorgersen" <stian(a)redhat.com>
> > Cc: keycloak-user(a)lists.jboss.org
> > Sent: Friday, 24 July, 2015 4:08:06 PM
> > Subject: Re: [keycloak-user] Users able to retrieve a valid Access
Token
> > despite not verifying their email
> >
> >
> >
> > On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
> > >
> > >
> > > ----- Original Message -----
> > >> From: "Bill Burke" <bburke(a)redhat.com>
> > >> To: keycloak-user(a)lists.jboss.org
> > >> Sent: Friday, 24 July, 2015 3:41:51 PM
> > >> Subject: Re: [keycloak-user] Users able to retrieve a valid Access
Token
> > >> despite not verifying their email
> > >>
> > >> So, setting a verify email required action allows you to replicate
the
> > >> problem?
> > >>
> > >> What version of Keycloak are you using? Just looking at the code
from
> > >> 1.3 and master we don't allow the creation of a token if a
required
> > >> action is active.
> > >
> > > The problem is that when a user logs in we check if verify email is
> > > required by the realm, if it is and user hasn't verified email we
add the
> > > required action. We don't do this check in the direct grants api.
> > >
> >
> > This check might be gone entirely now.
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3441
days inactive
3444
days old
11 comments
3 participants
participants (3)
-
Bill Burke -
Lohitha Chiranjeewa -
Stian Thorgersen