Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Need clarification on email_verified field of ID Token

I'm using Google's OpenID Connect service to authenticate users. I was considering rejecting all accounts if the email_verified field was false, but I don't see a real world scenario where someone will hit my system with this field set to false.

The first time you log in to Google the user's account becomes verified, so won't they always be verified from the perspective of my 3rd party app?

like image 621
jekennedy Avatar asked Dec 20 '22 04:12

jekennedy


1 Answers

If you get an ID Token from Google, the user's email will always be verified, and this value will be true.

In the rare case where the user had yet to verify their account's email address and attempts to use OpenID Connect, they will see an error message informing them that they need to verify their account, with steps on how to complete that. This is the current behavior for Google's OpenID Connect implementation at least.

If you are relying on verified email addresses, then out of correctness you probably should reject logins that don't have email_verified=true, but the good news is that your system shouldn't ever see that case from Google.

Not exactly sure how you're using the email, but typically authentication systems use the sub and iss ID Token claims to uniquely identify the user & IdP, rather than relying on the email address which is subject to change.

like image 152
William Denniss Avatar answered Dec 26 '22 22:12

William Denniss