How do I avoid making OAuth users verify their email address?

Question

I have MS Entra as an identity provider. I'm using the basic_connector OAuth2.0 configuration. After new users log in for the first time, they are asked to verify their email addresses.

I am set up with the "Check Email Verified"/"The OAuth2 site has verified the email" to "yes". It's definitely true that the OAuth2.0 provider has verified all the email addresses. It's a definitive relationship, since the ID provider and email provider are effectively the same, for this class of authenticated & authorized users.

I have tried a variety of values in the "Email Verified JSON Path" such as "verified_primary_email" but none of the options have worked.

je_aam · Accepted Answer

Answering my own question:

"Check Email Verified" can be left off, in such cases.

The "off" setting means that it is taken for granted that the ID provider would have verified all emails.

The "on" setting implies that the ID provider may or may not have completed checking the validity of the user's email address, and apache answer can learn about the validation only when the IDP includes that information as a boolean value in the user info JSON.

If all OAuth2.0 user emails are verified, leave it off.

If a boolean field in the user information JSON indicates that the email been verified, turn on the "check..." setting. Enter the JSON Path for that field in the "Email Verified JSON Path".

If you can not rely on the ID Provider data to indicate whether emails are validated, turning on the "Check Email Verified" without having a working JSON Path to a boolean field will result in this behavior described, above. Apache Answer's built in validation of email addresses will start, somewhat awkwardly, after the OAuth2.0 login.

How do I avoid making OAuth users verify their email address?

1 Answers