Add new default behavior to reject a link in an OIDC IdP if email_verified
is present and is false
#2423
Closed
5 tasks done
Add new default behavior to reject a link in an OIDC IdP if
email_verified
is present and isfalse
Description
When you configure an IdP in FusionAuth you always need to be sure you trust this 3rd party. However, to provide additional built in protection, if the IdP does offer the
email_verified
claim in the UserInfo response, and the value isfalse
we should fail to link on email.Workaround
If your Identity Provider returns the
email_verified
claim in the Userinfo response, you may inspect this claim in the OpenID Connect Reconcile lambda and if it is provided andfalse
, you could choose to throw an exception which would fail the login attempt.While this will technically work, it is a poor user experience, and the error will not be helpful to the end user.
Additional information
This problem can apply to any IdP. However, IdPs such as Azure AD make it a bit more complicated because an AD connection can be configured to
Use Common Endpoint
which means a user can authenticate with any Azure AD tenant.Auth0 has added some specific configuration for using Azure AD. In summary they allow you to consider all emails verified, or all emails unverified when using this connection. When configure to consider all emails un-verified, they force an email verification workflow inline during the first authentication. See https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azuread-adfs-email-verification.
We could consider adding this for all IdPs. This specific issue is really only addressing the OIDC IdP configuration. But we could consider adding a configuration for any IdP to indicate if FusionAuth should trust emails from the 3rd party knowing that we cannot know if the email is verified, not verified, or has been mutated at runtime.
Related
Documentation
UnverifiedEmail
and new themed message[ExternalAuthenticationException]UnverifiedEmail
.Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Release Notes
When the OpenID Connect or External JWT Identity Provider is configured to Link by Email and the IdP returns a claim named
email_verified
and the value isfalse
, the link request will be rejected. This change is intended to reduce the risk of linking on an un-verified email address.The text was updated successfully, but these errors were encountered: