Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A link may be established even when email_verified is false returned separately from the email claim #2542

Closed
jobannon opened this issue Nov 6, 2023 · 1 comment
Closed

A link may be established even when email_verified is false returned separately from the email claim #2542

jobannon opened this issue Nov 6, 2023 · 1 comment
Assignees
@robotdan
Labels
bug Something isn't working
Projects
FusionAuth Issues
Milestone
1.48.2

Comments

@jobannon
Copy link

jobannon commented Nov 6, 2023
edited by robotdan

Description

When the email_verified claim is present only in the id_token but the email claim is resolved by the response from the Userinfo endpoint, a link will still be established even when the email_verified claim is false.

Affects versions

>= 1.48.0

Steps to reproduce

  1. Configure an IdP to link by email.
  2. The email claim is returned in the Userinfo response.
  3. The email_verified claim is returned in the id_token.
  4. A link will be established.

Note that this only occurs when the email and email_verified claims are not present in the same payload. For example, if both claims are returned by the IdP in the Userinfo response, it works as designed. If both claims are returned by the IdP in the id_token and not the Userinfo it works as designed.

Expected behavior

A link should not be established when email_verified is false.

Related

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

Customer reported
@robotdan robotdan added the bug Something isn't working label Nov 10, 2023
@robotdan robotdan self-assigned this Nov 10, 2023
@robotdan robotdan added this to the 1.48.2 milestone Nov 10, 2023
@robotdan
Copy link
Member

Internal:

@robotdan robotdan added this to Code complete in FusionAuth Issues Nov 10, 2023
@robotdan robotdan changed the title FusionAuth link completes despite email verified claim being false using OIDC A link may be established even when email_verified is false returned separately from the email claim Nov 10, 2023
@robotdan robotdan moved this from Code complete to Delivered in FusionAuth Issues Nov 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robotdan robotdan

Labels
bug Something isn't working
Projects
FusionAuth Issues
  
Delivered
Milestone
1.48.2
Development

No branches or pull requests
2 participants
@robotdan @jobannon