Skip setting the verified claim for notification less password recove…

…ry flows

components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java

@@ -936,7 +936,7 @@ private HashMap<String, String> getAccountStateClaims(UserRecoveryData userRecov
         Enum<RecoveryScenarios> recoveryScenario = userRecoveryData.getRecoveryScenario();
         // If notifications are internally managed we try to set the verified claims since this is an opportunity
         // to verify a user channel.
-        if (isNotificationInternallyManaged) {
+        if (isNotificationInternallyManaged && !isNotificationLessRecoveryMethod(recoveryScenario)) {
             if (NotificationChannels.EMAIL_CHANNEL.getChannelType().equals(userRecoveryData.getRemainingSetIds())) {
                 userClaims.put(NotificationChannels.EMAIL_CHANNEL.getVerifiedClaimUrl(), Boolean.TRUE.toString());
             } else if (NotificationChannels.SMS_CHANNEL.getChannelType().equals(userRecoveryData.getRemainingSetIds())) {
@@ -978,6 +978,20 @@ private HashMap<String, String> getAccountStateClaims(UserRecoveryData userRecov
         return userClaims;
     }
 
+    /**
+     * Check whether the recovery scenario is notification based.
+     * A set of recovery scenarios such as question based password recovery, request user to set the password, and
+     * password reset on password expiry does not require sending notifications to the user.
+     *
+     * @param recoveryScenario Recovery scenario
+     * @return True if the recovery scenario does not require sending notifications
+     */
+    private boolean isNotificationLessRecoveryMethod(Enum recoveryScenario) {
+
+        return RecoveryScenarios.QUESTION_BASED_PWD_RECOVERY.equals(recoveryScenario) ||
+                RecoveryScenarios.PASSWORD_EXPIRY.equals(recoveryScenario);
+    }
+
     /**
      * Validate Tenant domain of the user with the domain in the context.
      *