Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email

From: "Bill Burke" <bburke(a)redhat.com&gt; To: keycloak-user(a)lists.jboss.org Sent: Friday, 24 July, 2015 3:41:51 PM Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email So, setting a verify email required action allows you to replicate the problem? What version of Keycloak are you using? Just looking at the code from 1.3 and master we don't allow the creation of a token if a required action is active.

On 7/24/2015 9:34 AM, Stian Thorgersen wrote: > That's indeed a bug - can you create a jira please? > > ----- Original Message ----- >> From: "Lohitha Chiranjeewa" <kalc04(a)gmail.com&gt; >> To: "keycloak-user" <keycloak-user(a)lists.jboss.org&gt; >> Sent: Friday, 24 July, 2015 1:56:10 PM >> Subject: [keycloak-user] Users able to retrieve a valid Access Token >> despite not verifying their email >> >> Hi, >> >> We have identified that even if the user hasn't verified his email (he >> cannot >> log in until it's verified), he can still invoke the 'auth/realms/{realm} >> /tokens /grants/access' API and retrieve a valid Access Token. APIs can be >> successfully invoked through this Access Token. This seems to be a buggy >> scenario. >> >> Can anyone confirm if this is actually a bug or if this is the expected >> behavior? >> >> >> Regards, >> Lohitha. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user