Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Friday, 24 July, 2015 4:10:44 PM Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email Was just looking at it and can't find anything that would check it, but RequiredActionEmailVerificationTest which is supposed to test it is passing ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-user(a)lists.jboss.org > Sent: Friday, 24 July, 2015 4:08:06 PM > Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token > despite not verifying their email > > > > On 7/24/2015 9:59 AM, Stian Thorgersen wrote: > > > > > > ----- Original Message ----- > >> From: "Bill Burke" <bburke(a)redhat.com&gt; > >> To: keycloak-user(a)lists.jboss.org > >> Sent: Friday, 24 July, 2015 3:41:51 PM > >> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token > >> despite not verifying their email > >> > >> So, setting a verify email required action allows you to replicate the > >> problem? > >> > >> What version of Keycloak are you using? Just looking at the code from > >> 1.3 and master we don't allow the creation of a token if a required > >> action is active. > > > > The problem is that when a user logs in we check if verify email is > > required by the realm, if it is and user hasn't verified email we add the > > required action. We don't do this check in the direct grants api. > > > > This check might be gone entirely now. > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user