Email Verified Doesn't Correctly Parse on User When Set to Non-Boolean String

[timmonfette1]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this SDK and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Currently, when setting up a SAML Connection, you are allowed to map any "truthy" value to the email_verified property on the user. This is despite the fact that this value is explicitly parsed as a boolean using strconv.ParseBool on this line in the SDK: https://github.com/auth0/go-auth0/blob/main/management/user.go#L146

This means that the SDK conflicts with the actual support that Auth0 has for this field - as an example, a "workaround" to setting this property on SAML connection logins is to manually set the value through a claim mapping (the ability to automatically set this like on other enterprise login types is a different desire). This workaround means you can get a resulting property on the user that looks something like this after the mapping has been applied

"email_verified": "myemail@dummy.com"

Auth0 allows this, the Auth0 UI properly understands this to mean the email is verified, the Auth0 Management API properly serializes this into JSON when returning the user (despite Auth0's own docs for the Management API say the only valid values are true and false), but any attempts to retrieve this user - either individually or through listing - using the SDK errors with a failure based on that strconv.ParseBool call as that is clearly not a valid boolean string.

Expectation

The expectation is that the SDK has parity in terms of functionality to the Auth0 Management API. If the Management API supports any "truthy" value in the email_verified field, then the SDK needs to support the same. However, given that the SDK has explicitly set this to a boolean for so long, the expectation would be that it still continues to return a boolean but with better support for string parsing to avoid issues with consumers of the SDK who are expecting a true boolean value (or at least a major version bump should the response type need to change).

Reproduction

1. Given an Enterprise SAML connection with a mapping that includes

"email_verified": "http://chemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress".

2. When a user logs into an Auth0 application using an email that is for the SAML connection.
3. Then notice that the email_verified on the user is set to the email address and any attempts to retrieve that user from the SDK will error.

Auth0 Go SDK version

1.22.2

[developerkunal]

Hi @timmonfette1,
Thanks for reporting this — I’ll take a look into it and get back to you shortly.

[developerkunal]

Hi @timmonfette1,

Apologies for the delayed response. Let me check with the API team on this.

As for the SDK, we're currently following the structure defined in the Management API, where email_verified is documented as a boolean. That said, I'll confirm with the API team and get back to you shortly.