On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Friday, 24 July, 2015 3:41:51 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not
verifying their email
>
> So, setting a verify email required action allows you to replicate the
> problem?
>
> What version of Keycloak are you using? Just looking at the code from
> 1.3 and master we don't allow the creation of a token if a required
> action is active.
The problem is that when a user logs in we check if verify email is required by the
realm, if it is and user hasn't verified email we add the required action. We
don't do this check in the direct grants api.
This check might be gone entirely now.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com