Enforce a verified email via OIDC auth

[jobannon]

Enforce a verified email via OIDC auth

Problem

The OIDC protocol allows for a claim email_verified. This proves that the user has verified their email in accordance with this federated partner's requirements (typically, this is the user clicking a link from their inbox). When FusionAuth is the SP, sometimes you only want to allow federation and user creation for users that have proven they have verified their email and own their email address.

Solution

We should offer an IdP configuration that prevents automatic linking and user creation unless this claim is present.
linking-strategies

Alternatives/workarounds

Manually create a user link using our Link API to only link one a user has a verified email address or meets other requirements.

This will only work if the IdP in question uses the email_verified claim when they are the IdP and FusionAuth is the SP.
Internal - 73727

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Related

• Add new default behavior to reject a link in an OIDC IdP if email_verified is present and is false #2423

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[mooreds]

Could also update the lambda docs to show that.

[robotdan]

Looks like we duplicated this via #2423.