Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
On 7/24/2015 10:15 AM, Stian Thorgersen wrote:
Tried it manually and it's not working. Users don't have to
verify email in master.
Ok, I added a test and it is passing. Can you verify I'm doing the
right checks? If I'm testing this right, I'll close the bug.
ResourceOwnerPasswordCredentialsGrantTest.grantAccessTokenVerifyEmail()
One relevant question if "direct grant" flow has OTP set to
optional and user has enabled otp with its account what happens?
If the user has OTP set up, then direct grant flow will expect it. If
it is not there, it will send an error message.
BruteForceTest.testGrantMissingOtp() tests this.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com