Suggested workflow for authentication via Twitter

When I login via Google or email+pwd, Auth0 returns me a User object including the email_verified field properly set. When I use twitter login this field is simply missing. That is not consistent.

It really depends what claims each IdP supports. From Google it’s obvious from their OIDC discovery doc that email_verified is a supported claim.

https://accounts.google.com/.well-known/openid-configuration

Twitter, since they just support OAuth2 but not OIDC afaik, it’s not obvious, and I couldn’t find it in the Twitter docs, but I think it’s simply not provided. And Auth0 can only rely on what the IdP provides, it wouldn’t make up the value for email_verified just on its own. (I haven’t tested Twitter in detail and what claims exactly come back).

email_verified field is not present in my client code nor in the token

You cannot update the email_verified field directly in a Rule like this. It’s a protected field. I’ll provide you with a different code snippet in a bit how do change it (making a call to the Management API), especially since you want to persist that info anyway, and just using user.email_verified = true in the rule doesn’t persist it in the user store, it’s just a temporary change.


Update: @AntonioM

Here’s two approach, depending whether you want/need to persist the email_verified flag in the user store or of it’s sufficient to put it in the ID token (and afterwards forget about it).

With persistence (Rule code):

function (user, context, callback) {

  if (context.connectionStrategy === "twitter")  {

    var ManagementClient = require('auth0@2.6.0').ManagementClient;
    var management = new ManagementClient({
        token: auth0.accessToken,
        domain: auth0.domain
    });
        
     // persist in user store
    management.updateUser({id: user.user_id}, {email_verified:true})
    .then(function(u){    
      context.idToken.email_verified = u.email_verified;
      context.idToken.email = u.email;    
      callback(null, u, context);
    })
    .catch(function(err){
      callback(err);
    });     
  } else { // if not twitter
    callback(null, user, context);
  }

}

Without persistence (Rule code):

function (user, context, callback) {

  if (context.connectionStrategy === "twitter")  {
    context.idToken.email_verified = user.email_verified;
    context.idToken.email = user.email;
  }

  callback(null, user, context);
}