From our conversation outside the forum:
You are attempting to enforce email verification, i.e. gate users for OAuth password workflow. Your users were able to get a JWT despite not verifying their email address You are using your own hosted oauth/authorize page You have a paid version of Fusion Auth with version > 1.27.0 - which is required to use gate user accounts.Problem:
You attempted to log a user in for OAuth2 using a password grant type and expected the user to be gated.
If you are providing your own login page, you would need to inspect the JWT returned by FusionAuth in-order to determine if a user has been email verified.
Solution:
The easier option would be to use our hosted login pages and the authorization code grant. Once verified, FusionAuth will release an access token after a user successfully logs in. If the user hasn't been email verified, FusionAuth will not return a JWT and will 'gate' the user - which redirects to a page where a user will enter a verification code sent to their registered email address.
Disclaimer:
If you use the password grant, you would be building your own login page. Therefore, you would have to build the functionality in your integration code to check whether a user has been verified.
