[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
Stian Thorgersen
stian at redhat.com
Fri Jul 24 09:34:11 EDT 2015
That's indeed a bug - can you create a jira please?
----- Original Message -----
> From: "Lohitha Chiranjeewa" <kalc04 at gmail.com>
> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Friday, 24 July, 2015 1:56:10 PM
> Subject: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
>
> Hi,
>
> We have identified that even if the user hasn't verified his email (he cannot
> log in until it's verified), he can still invoke the 'auth/realms/{realm}
> /tokens /grants/access' API and retrieve a valid Access Token. APIs can be
> successfully invoked through this Access Token. This seems to be a buggy
> scenario.
>
> Can anyone confirm if this is actually a bug or if this is the expected
> behavior?
>
>
> Regards,
> Lohitha.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list