You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the email_verified claim is present only in the id_token but the email claim is resolved by the response from the Userinfo endpoint, a link will still be established even when the email_verified claim is false.
Affects versions
>= 1.48.0
Steps to reproduce
Configure an IdP to link by email.
The email claim is returned in the Userinfo response.
The email_verified claim is returned in the id_token.
A link will be established.
Note that this only occurs when the email and email_verified claims are not present in the same payload. For example, if both claims are returned by the IdP in the Userinfo response, it works as designed. If both claims are returned by the IdP in the id_token and not the Userinfo it works as designed.
Expected behavior
A link should not be established when email_verified is false.
robotdan
changed the title
FusionAuth link completes despite email verified claim being false using OIDC
A link may be established even when email_verified is false returned separately from the email claim
Nov 10, 2023
Description
When the
email_verified
claim is present only in theid_token
but theemail
claim is resolved by the response from theUserinfo
endpoint, a link will still be established even when theemail_verified
claim isfalse
.Affects versions
>= 1.48.0
Steps to reproduce
email
claim is returned in theUserinfo
response.email_verified
claim is returned in theid_token
.Note that this only occurs when the
email
andemail_verified
claims are not present in the same payload. For example, if both claims are returned by the IdP in theUserinfo
response, it works as designed. If both claims are returned by the IdP in theid_token
and not theUserinfo
it works as designed.Expected behavior
A link should not be established when
email_verified
isfalse
.Related
email_verified
is present and isfalse
#2423Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Additional context
Customer reported
The text was updated successfully, but these errors were encountered: