Email updated through account API does not remove email verified flag

34 views
Skip to first unread message

Perot Francis

unread,
Oct 12, 2021, 10:35:33 AM10/12/21
to Keycloak Dev

Hi everyone,

 

We recently migrated from KC8 to KC14 but we noticed that when updating an email through the account API, the email verified flag was not reset.

Is this something we are expecting in the recent versions or is it something that was not seen after recent changes to manage some values as attributes?

 

In order to keep the same behavior as previously, we solved this by just overriding the matching API method (for our needs, we already were extended org.keycloak.services.resources.account.AccountRestService)

 

@Path("/")
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public Response updateAccount(UserRepresentation rep) {
    boolean emailUpdated = user != null && rep.getEmail() != null && !rep.getEmail().equalsIgnoreCase(user.getEmail());
    Response resp = super.updateAccount(rep);
    if (emailUpdated && resp.getStatus() < 400) {
        /**
         * EmailVerified is not updatable through KC API in version 14.0
         */
        user.setEmailVerified(false);
    }
    return resp;

 

 

Francis Pérot

 

 

ELCA Informatique SA | www.elca.ch

Tour Balexert – Avenue Louis-Casaï 18 | CP | CH - 1211 Genève 28

 

This message may contain confidential and/or privileged information. If you are neither the addressee nor authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please contact the sender and delete this message. Thank you.

 

 

 

PS: I offered my help at beginning of 2020 to help reducing the technical debt using some static analysis tools. I only checked a little part of the code and I identified some bugs but I had no time to communicate them. Most bugs I identified have been already fixed.

  • In some rare cases, a NullPointerException could be thrown in SAML11ResponseParser.java#143, statusCode.setStatusCode(subStatusCodeType); (statusCode can be null)
  • In TLSUtils#33 and #46, there are ;; (not an issue but not necessary)
Reply all
Reply to author
Forward
0 new messages