Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Friday, 24 July, 2015 4:08:06 PM Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email On 7/24/2015 9:59 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: keycloak-user(a)lists.jboss.org >> Sent: Friday, 24 July, 2015 3:41:51 PM >> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token >> despite not verifying their email >> >> So, setting a verify email required action allows you to replicate the >> problem? >> >> What version of Keycloak are you using? Just looking at the code from >> 1.3 and master we don't allow the creation of a token if a required >> action is active. > > The problem is that when a user logs in we check if verify email is > required by the realm, if it is and user hasn't verified email we add the > required action. We don't do this check in the direct grants api. > This check might be gone entirely now. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com