[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
Lohitha Chiranjeewa
kalc04 at gmail.com
Fri Jul 24 12:03:23 EDT 2015
We're using 1.2.0.Final, and we're running our tests on a separate realm as
our master realm is reserved for admin tasks only. Not sure if the behavior
changes from master to other realms.
In 1.2.0.Final version, both new and existing users have to verify their
emails once the feature is turned on. Maybe it's broken in the newer
version.
Stian, will the ticket created by you (KEYCLOAK-1696) capture the initial
bug mentioned by me as well? Or do I have to report a separate ticket for
that?
Thanks,
Lohitha.
On Fri, Jul 24, 2015 at 7:47 PM, Stian Thorgersen <stian at redhat.com> wrote:
> The test only checks if new users have to verify email, not that existing
> users have to verify email. Added
> https://issues.jboss.org/browse/KEYCLOAK-1696
>
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Bill Burke" <bburke at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Friday, 24 July, 2015 4:10:44 PM
> > Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> despite not verifying their email
> >
> > Was just looking at it and can't find anything that would check it, but
> > RequiredActionEmailVerificationTest which is supposed to test it is
> passing
> >
> > ----- Original Message -----
> > > From: "Bill Burke" <bburke at redhat.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Friday, 24 July, 2015 4:08:06 PM
> > > Subject: Re: [keycloak-user] Users able to retrieve a valid Access
> Token
> > > despite not verifying their email
> > >
> > >
> > >
> > > On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
> > > >
> > > >
> > > > ----- Original Message -----
> > > >> From: "Bill Burke" <bburke at redhat.com>
> > > >> To: keycloak-user at lists.jboss.org
> > > >> Sent: Friday, 24 July, 2015 3:41:51 PM
> > > >> Subject: Re: [keycloak-user] Users able to retrieve a valid Access
> Token
> > > >> despite not verifying their email
> > > >>
> > > >> So, setting a verify email required action allows you to replicate
> the
> > > >> problem?
> > > >>
> > > >> What version of Keycloak are you using? Just looking at the code
> from
> > > >> 1.3 and master we don't allow the creation of a token if a required
> > > >> action is active.
> > > >
> > > > The problem is that when a user logs in we check if verify email is
> > > > required by the realm, if it is and user hasn't verified email we
> add the
> > > > required action. We don't do this check in the direct grants api.
> > > >
> > >
> > > This check might be gone entirely now.
> > >
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > > http://bill.burkecentral.com
> > >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150724/899cd9ca/attachment.html
More information about the keycloak-user
mailing list