[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email

Hi, We have identified that even if the user hasn't verified his email (he cannot log in until it's verified), he can still invoke the 'auth/realms/{realm}/tokens/grants/access' API and retrieve a valid Access Token. APIs can be successfully invoked through this Access Token. This seems to be a buggy scenario. Can anyone confirm if this is actually a bug or if this is the expected behavior? Regards, Lohitha.