[keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
Stian Thorgersen
stian at redhat.com
Mon Jul 27 01:46:02 EDT 2015
Looks good
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Saturday, 25 July, 2015 6:46:36 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
>
>
>
> On 7/24/2015 10:15 AM, Stian Thorgersen wrote:
> > Tried it manually and it's not working. Users don't have to verify email in
> > master.
> >
>
> Ok, I added a test and it is passing. Can you verify I'm doing the
> right checks? If I'm testing this right, I'll close the bug.
>
> ResourceOwnerPasswordCredentialsGrantTest.grantAccessTokenVerifyEmail()
>
> > One relevant question if "direct grant" flow has OTP set to optional and
> > user has enabled otp with its account what happens?
> >
>
> If the user has OTP set up, then direct grant flow will expect it. If
> it is not there, it will send an error message.
>
> BruteForceTest.testGrantMissingOtp() tests this.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-user
mailing list