[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
Lohitha Chiranjeewa
kalc04 at gmail.com
Fri Jul 24 07:56:10 EDT 2015
Hi,
We have identified that even if the user hasn't verified his email (he
cannot log in until it's verified), he can still invoke the
'auth/realms/{realm}/tokens/grants/access' API and retrieve a valid Access
Token. APIs can be successfully invoked through this Access Token. This
seems to be a buggy scenario.
Can anyone confirm if this is actually a bug or if this is the expected
behavior?
Regards,
Lohitha.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150724/294fd565/attachment.html
More information about the keycloak-user
mailing list