Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

With a non verified user, using authorization code flow with some AIA (kc_action=UPDATE_EMAIL or kc_action=VERIFY_EMAIL), you can bypass the need to verify user's email and get redirected with a valid authorization code, allowing then to get valid tokens.

Version

25.0.6

Regression

• The issue is a regression

Expected behavior

You need to verify the user before getting an authorization code, even if you add AIA actions such as UPDATE_EMAIL or VERIFY_EMAIL

Actual behavior

When starting the authorization code flow with a non verified user to get an access token, if you add kc_action=UPDATE_EMAIL, you will bypass the need of verifying user's email first.

How to Reproduce?

Configuration

• Realm:
  • Email on username : on
  • Login with email : on
  • Verify email : on
• One client with authorization flow : standard flow checked
• One user, with non verified email
• Preview feature update_email enabled

1. Call http://localhost:8080/realms/master/protocol/openid-connect/auth?response_type=code&client_id=my-oidc-client&redirect_uri=https://example.com&kc_action=UPDATE_EMAIL
2. Login with the non verified user

You will be redirected to the redirect uri, with a valid authorization code, allowing then to get valid tokens : https://example.com/?session_state=xx&iss=xx&code=73cb43af-2288-4564-9d36-43e4396ff9c6.7290759b-1019-4d08-b58c-51f6f9de9350.aeeeead8-f73d-4a92-a57b-d3b5efea8444

Anything else?

No response