Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-8756

It is not possible to verify email for already logged in user

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 3.4.3.Final
    • Fix Version/s: 4.7.0.Final
    • Component/s: None
    • Labels:
    • Steps to Reproduce:
      Hide
      • make sure email verification is enabled for realm
      • login as some user
      • go to admin GUI and set email as unverified for given user (it also happens when you change email address in the user profile /account app!)
      • try to /auth for other client in same browser/window
      • you are asked to verify email, verification email is sent
      • click link in verification email - "You are already logged in" error page is shown

      "You are already logged in" error page is complete UX nonsense here, users work is broken. It should simply mark email as verified and send user back to the calling application.

      Show
      make sure email verification is enabled for realm login as some user go to admin GUI and set email as unverified for given user (it also happens when you change email address in the user profile /account app!) try to /auth for other client in same browser/window you are asked to verify email, verification email is sent click link in verification email - "You are already logged in" error page is shown "You are already logged in" error page is complete UX nonsense here, users work is broken. It should simply mark email as verified and send user back to the calling application.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      It is not possible to verify email for already logged in user - "You are already logged in" error page is shown (see Steps to reproduce).

      Problem is directly in keyclaok code which handles links for action-token actions (like email verification). Exact problem is in org.keycloak.services.resources.LoginActionsService.handleActionToken(String, String, String, String) method, in section:

      if (tokenAuthSessionCompoundId != null) {
          // This can happen if the token contains ID but user opens the link in a new browser
          String sessionId = AuthenticationSessionCompoundId.encoded(tokenAuthSessionCompoundId).getRootSessionId();
          LoginActionsServiceChecks.checkNotLoggedInYet(tokenContext, sessionId);
      }
      

      Whole this code is strange, as comment says that " This can happen if the token contains ID but user opens the link in a new browser", but it is called always, even if link is opened in same browser.
      LoginActionsServiceChecks.checkNotLoggedInYet check might be usefull for some action types which have to occur for not logged in user only, but email verification should work even in this case. So this check should be probably controlled by actual token handler, and org.keycloak.authentication.actiontoken.verifyemail.VerifyEmailActionTokenHandler should skip this check.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  hmlnarik Hynek Mlnařík
                  Reporter:
                  velias Vlastimil Eliáš
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: