See openid-connect Menu

Enabling the email_verified claim


OneLogin does not natively do email verification for new users so therefore in the context of OpenId Connect we omit the optional email_verified claim from the ID Token when the email scope is used.

This guide will show you how to override the default behavior and enable the email_verified claim in your ID Tokens.

1: Create a Custom Attribute

First we will create a custom attribute to hold the email verification state for a user.

Email Verified Custom Attribute

It doesn’t really matter what short name you give this field but for consistency we will name it with email_verified.

2: Set Email Verified value for a user

If the value of email_verified is null or not assigned it will not be returned as a claim in the ID Token.

Therefore if you want to mark an email address as verified you need to set this value to true.

This can be achieved by setting the email_verified custom attribute via the Users API

curl 'https:///api/2/users/' \
-X PUT \
-H "Authorization: bearer " \
-H "Content-Type: application/json" \
-d '{
    "custom_attributes": {
        "email_verified": "true"
    }
}'

or directly through the OneLogin Admin panel by browsing to the user that you want to update.

Set Email Verified

3: Add OIDC App parameter

The final configuration step is to add an email_verified parameter to your OIDC app. This can be done via the Apps API where you will set the user_attribute_mappings attribute to the custom attribute that you defined in step 1.

curl 'https:///api/2/apps/' \
-X PUT \
-H "Authorization: bearer " \
-H "Content-Type: application/json" \
-d '{
    "parameters": {
        "email_verified": {
            "user_attribute_mappings": "custom_attribute_email_verified",
            "label": "email_verified"
        }        
    }
}'

or alternately via the Admin panel by browsing to the app that you want to update, adding a parameter named email_verified, and then mapping that to the custom attribute.

Set Email Verified

Test the flow

With the configuration complete it’s now time to test. Do this by starting any OpenId Connect flow and including the email scope. If you have followed the steps above then on successful completeion of the flow you will see an email_verified claim returned the ID Token. 👏

{
  "sub": "36216766",
  "email": "kelly@onelogin.com",
  "preferred_username": "kelly",
  "name": "Kelly Smith",
  "updated_at": 1604948633,
  "given_name": "Kelly",
  "family_name": "Smith",
  "email_verified": true,
  "aud": "82d519a0-6b27-0138-3af1-062c86f29d48118462",
  "exp": 1604955884,
  "iat": 1604948684,
  "iss": "https://samplecompany.onelogin.com/oidc/2"
}

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.