We have identified that even if the user hasn't verified his email (he cannot log in until it's verified), he can still invoke the 'auth/realms/{realm}/tokens/grants/access' API and retrieve a valid Access Token. APIs can be successfully invoked through this Access Token. This seems to be a buggy scenario.

Can anyone confirm if this is actually a bug or if this is the expected behavior?