OneTimeTokenAuthenticationProvider should validate UserDetails account status like DaoAuthenticationProvider

**Describe the bug**
OneTimeTokenAuthenticationProvider does not validate UserDetails account status checks (isEnabled, isAccountNonExpired, isAccountNonLocked). Users can authenticate with one-time tokens even when their accounts are disabled, expired, or locked. Currently, these checks must be handled manually in OneTimeTokenGenerationSuccessHandler, but we expect the AuthenticationProvider to handle these checks automatically like DaoAuthenticationProvider does.

**To Reproduce**
1. Create a UserDetails implementation that returns false for isEnabled(), isAccountNonExpired(), or isAccountNonLocked()
2. Attempt to authenticate using a valid one-time token for this user
3. Authentication succeeds despite the account status
4. Account status validation must be implemented separately in OneTimeTokenGenerationSuccessHandler

**Expected behavior**
Authentication should fail when UserDetails returns false for any of the following methods:
- isEnabled() - account is disabled
- isAccountNonExpired() - account has expired  
- isAccountNonLocked() - account is locked

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

OneTimeTokenAuthenticationProvider should validate UserDetails account status like DaoAuthenticationProvider #17655

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

OneTimeTokenAuthenticationProvider should validate UserDetails account status like DaoAuthenticationProvider #17655

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions