Require verified address doesn't work for OIDC identities

[jonas-jonas]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

When Require Verified Address for Login is activated, OIDC identities can still login, even if they have not verified their email address yet.

Reproducing the bug

1. Enable Require Verified Address for Login
2. Login using an unverified OIDC identity
3. See the login go through

Relevant log output

No response

Relevant configuration

No response

Version

master

On which operating system are you observing this issue?

Ory Network

In which environment are you deploying?

Ory Network

Additional Context

https://ory-community.slack.com/archives/C02MR4DEEGH/p1676539388349389

[jonas-jonas]

I can still reproduce this. Taking a look now.

[jonas-jonas]

Ah, the frontend only sets the hook for the password method. It doesn't for OIDC & Webauthn. So this is just a console issue.

[jonas-jonas]

Don't think it makes sense to fix this in the old UI, when we're going to rewrite this soon.

You can use the CLI to set the require_verified_address hook, in the meantime.

[aeneasr]

There is a more fundamental issue here too - the verified status is not carried over from the oidc provider. So basically every user is unverified when using social sign in in kratos.

[jonas-jonas]

Related to ory/kratos#3424

[aeneasr]

That issue is now closed in Ory Kratos, is this here then also fixed?

[jonas-jonas]

No, it's just related, but doesn't solve the issue.

But this is just a console issue, as right now we're only setting the require_verified_address hook for password login.

[aeneasr]

I confirmed that this bug is fixed on production. Closing!