I'm using Google's OpenID Connect service to authenticate users. I was considering rejecting all accounts if the email_verified
field was false, but I don't see a real world scenario where someone will hit my system with this field set to false.
The first time you log in to Google the user's account becomes verified, so won't they always be verified from the perspective of my 3rd party app?
If you get an ID Token from Google, the user's email will always be verified, and this value will be true
.
In the rare case where the user had yet to verify their account's email address and attempts to use OpenID Connect, they will see an error message informing them that they need to verify their account, with steps on how to complete that. This is the current behavior for Google's OpenID Connect implementation at least.
If you are relying on verified email addresses, then out of correctness you probably should reject logins that don't have email_verified=true
, but the good news is that your system shouldn't ever see that case from Google.
Not exactly sure how you're using the email, but typically authentication systems use the sub
and iss
ID Token claims to uniquely identify the user & IdP, rather than relying on the email address which is subject to change.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With