Missing "email_verified" in OIDC claim #1405
Comments
Setting email_verified to false seems like the correct behavior in these cases. I realize it's incontinent, but being able to fake an email is a serious security issue, so I don't think it's appropriate to assume email_verified=True |
|
Hello, providers needing emails validation set this field. It's only missing if email validation has no meaning for this enrollement process (like employee enrollement). I link upper same discution in kubernetes connector (I assume they need a good security too ;) ) But yes, maybe it's better to add a config parameter to let choose by oidc provider ? |
|
A InsecureSkipEmailVerified config option seems fine |
|
I think more about changing default value rather than skipping it. defaultEmailVerified={Value of email_verified if missing in OIDC claim} ? |
|
This is now merged #1417 |
Hello,
When an OIDC provider return claim with "email" but without "email_verified" field, this is assumed to be false by Dex, and newly generated claim is with "email_verified=false".
Some enterprise providers return claims without "email_verified", when they had no usage of emails verification in enrollement process. Like Okta, CloudFoundry, ...
When this field is missing, we need to assume it to a successfull validation instead of validation error - or at least let it unchanged (missing) in generated claim.
In my case, OAuth2_proxy talking directly to my provider (Okta) works (Oauth2_proxy assume a missing field is valid), but when I plug Dex between OAuth2_proxy and my provider (to allow multiple providers) authentication fail.
Some links:
I do a trivial patch in OIDC connector to workaround this (if verified is missing then verifie is True), following Kubernetes & OAuth2Proxy practices. I can post it if you want.
The text was updated successfully, but these errors were encountered: