Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Saturday, 25 July, 2015 6:46:36 PM Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email On 7/24/2015 10:15 AM, Stian Thorgersen wrote: > Tried it manually and it's not working. Users don't have to verify email in > master. > Ok, I added a test and it is passing. Can you verify I'm doing the right checks? If I'm testing this right, I'll close the bug. ResourceOwnerPasswordCredentialsGrantTest.grantAccessTokenVerifyEmail() > One relevant question if "direct grant" flow has OTP set to optional and > user has enabled otp with its account what happens? > If the user has OTP set up, then direct grant flow will expect it. If it is not there, it will send an error message. BruteForceTest.testGrantMissingOtp() tests this. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com