Can email address not verified in oauth2?

Question

I know not all providers give out user email address, but assuming if they use oauth2 and the email field is not empty, can I say that email address must be verified ?

Answer 1

Using plain OAuth 2.0 (plus provider specific extensions that would be required for this scenario) this is not possible in a generic way. Using OpenID Connect, which is a standardized extension of OAuth 2.0 that provides login semantics this is possible through the standardized email_verified claim that is provides as part of the so-called ID token, and something can be requested explicitly in the authentication request.

Answer 2

Ofcourse it's possible. First you would have an intermediate form that would get redirected to from any provider, and fills in the fields, including email if available, if not available, then it will be blank for the user to fill it in and submit the form. You have to structure your application so that if a email address field is available and not empty and a valid email populate it in the field and allow the user to submit the form, then you would send the email verification email and perform any other step that you want when a user creates an account.

I would separate it out into events, and fire events when a user account is created. Then attach some listeners to listen to user account created event.

You can then create new event listeners and attach them to the event as needed.

Some good videos about Commands and Domain Events are available on Laracasts https://laracasts.com/series/commands-and-domain-events