UNSOLVED Gate Users can get JWT token
I enable the functionality of “Gate Users Until They Verify Their Email”
but even after doing step by step manual(https://fusionauth.io/docs/v1/tech/tutorials/gating/gate-accounts-until-user-email-verified) unverified email users still can get jwt token via API , anyone familiar with this strange behavior .?
From our conversation outside the forum:
- You are attempting to enforce email verification, i.e. gate users for OAuth password workflow.
- Your users were able to get a JWT despite not verifying their email address
- You are using your own hosted oauth/authorize page
- You have a paid version of Fusion Auth with version > 1.27.0 - which is required to use gate user accounts.
You attempted to log a user in for OAuth2 using a password grant type and expected the user to be gated.
If you are providing your own login page, you would need to inspect the JWT returned by FusionAuth in-order to determine if a user has been email verified.
The easier option would be to use our hosted login pages and the authorization code grant. Once verified, FusionAuth will release an access token after a user successfully logs in. If the user hasn't been email verified, FusionAuth will not return a JWT and will 'gate' the user - which redirects to a page where a user will enter a verification code sent to their registered email address.
If you use the password grant, you would be building your own login page. Therefore, you would have to build the functionality in your integration code to check whether a user has been verified.