provider: Only use verified email as username #1249
+132
−5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1249 +/- ##
=======================================
Coverage ? 80.08%
=======================================
Files ? 20
Lines ? 984
Branches ? 0
=======================================
Hits ? 788
Misses ? 196
Partials ? 0 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
adombeck
force-pushed
the
UDENG-8970-verified-email
branch
from
e0092dd to
7954376
Compare
adombeck
changed the title
Contributor
Author
|
The failures of the code sanity jobs are unrelated |
denisonbarbosa
approved these changes
Feb 9, 2026
Member
denisonbarbosa
left a comment
denisonbarbosa
left a comment
There was a problem hiding this comment.
Just a small fix that should be easily addressable. Everything else looks great!
authd-oidc-brokers/internal/providers/genericprovider/genericprovider.go
Outdated
Show resolved
Hide resolved
Keycloak allows users to change their email address themselves without verifying it first. The ID token includes an `email_verified` claim which we now check and return an error if it's false, to avoid that users can log in with arbitrary usernames. This method of the genericprovider is also used by the Google provider which also includes the `email_verified` claim in the ID token. The `email_verified` claim is in fact defined as a standard claim in the OIDC spec (which doesn't mean that all IdPs have to set it).
We don't want to return a user info with an empty username in case the email claim is missing in the ID token.
The provider returns the sub claim as the UUID field in the user info, which we store in the token.json. We don't currently use the UUID for anything, but from the provider's perspective it should not return a user info with an empty UUID. However, we should consider removing the UUID field because it's unused which can be confusing.
adombeck
force-pushed
the
UDENG-8970-verified-email
branch
from
9df396e to
1ddeea7
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Keycloak allows users to change their email address themselves without verifying it first. The ID token includes an
email_verifiedclaim which we now check and return an error if it's false, to avoid that users can log in with arbitrary usernames.This method of the genericprovider is also used by the Google provider which also includes the
email_verifiedclaim in the ID token.The
email_verifiedclaim is in fact defined as a standard claim in the OIDC spec (which doesn't mean that all IdPs have to set it).UDENG-8970