FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Gate Users can get JWT token

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    2
    540
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andrey.dzhezhora
      last edited by

      I enable the functionality of “Gate Users Until They Verify Their Email”
      but even after doing step by step manual(https://fusionauth.io/docs/v1/tech/tutorials/gating/gate-accounts-until-user-email-verified) unverified email users still can get jwt token via API , anyone familiar with this strange behavior .?

      J 1 Reply Last reply Reply Quote 1
      • J
        johnathon @andrey.dzhezhora
        last edited by

        Hi @andrey-dzhezhora,

        From our conversation outside the forum:

        1. You are attempting to enforce email verification, i.e. gate users for OAuth password workflow.
        2. Your users were able to get a JWT despite not verifying their email address
        3. You are using your own hosted oauth/authorize page
        4. You have a paid version of Fusion Auth with version > 1.27.0 - which is required to use gate user accounts.

        Problem:

        You attempted to log a user in for OAuth2 using a password grant type and expected the user to be gated.

        If you are providing your own login page, you would need to inspect the JWT returned by FusionAuth in-order to determine if a user has been email verified.

        Solution:

        The easier option would be to use our hosted login pages and the authorization code grant. Once verified, FusionAuth will release an access token after a user successfully logs in. If the user hasn't been email verified, FusionAuth will not return a JWT and will 'gate' the user - which redirects to a page where a user will enter a verification code sent to their registered email address.

        Disclaimer:

        If you use the password grant, you would be building your own login page. Therefore, you would have to build the functionality in your integration code to check whether a user has been verified.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post