So, setting a verify email required action allows you to replicate the
problem?
What version of Keycloak are you using? Just looking at the code from
1.3 and master we don't allow the creation of a token if a required
action is active.
On 7/24/2015 9:34 AM, Stian Thorgersen wrote:
That's indeed a bug - can you create a jira please?
----- Original Message -----
> From: "Lohitha Chiranjeewa" <kalc04(a)gmail.com>
> To: "keycloak-user" <keycloak-user(a)lists.jboss.org>
> Sent: Friday, 24 July, 2015 1:56:10 PM
> Subject: [keycloak-user] Users able to retrieve a valid Access Token despite not
verifying their email
>
> Hi,
>
> We have identified that even if the user hasn't verified his email (he cannot
> log in until it's verified), he can still invoke the 'auth/realms/{realm}
> /tokens /grants/access' API and retrieve a valid Access Token. APIs can be
> successfully invoked through this Access Token. This seems to be a buggy
> scenario.
>
> Can anyone confirm if this is actually a bug or if this is the expected
> behavior?
>
>
> Regards,
> Lohitha.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com