search

p2-inc / keycloak-magic-link

Magic Link Authentication for Keycloak
https://phasetwo.io
Other
231 stars 46 forks source link

Verify user email after successful email otp usage #38

Closed Arnaud-J closed 1 year ago

Arnaud-J commented 1 year ago

Proposed change for #37.

Because the usage of an emailed OTP code ensures a user has access to their mailbox, their email should be verified in their Keycloak user account.

@xgp A few questions remains:

  1. I noticed two methods for retrieving the authenticated user: context.getAuthenticationSession().getAuthenticatedUser() and context.getUser(). I have used the former because you yourself use context.getAuthenticationSession() in your code. Is there anything else to consider here for making a choice?
  2. Both methods may give null as a response but I believe they will not because the EmailOTPAuthenticator will fail earlier if a user can not be found. Is that a correct assumption?
xgp commented 1 year ago
  1. I don't believe there is a difference. Good to have documented here, though.
  2. I think that assumption is correct.