Suggested workflow for authentication via Twitter

mathiasconradt · March 10, 2020, 12:31pm

When I login via Google or email+pwd, Auth0 returns me a User object including the email_verified field properly set. When I use twitter login this field is simply missing. That is not consistent.

It really depends what claims each IdP supports. From Google it’s obvious from their OIDC discovery doc that email_verified is a supported claim.

https://accounts.google.com/.well-known/openid-configuration

Twitter, since they just support OAuth2 but not OIDC afaik, it’s not obvious, and I couldn’t find it in the Twitter docs, but I think it’s simply not provided. And Auth0 can only rely on what the IdP provides, it wouldn’t make up the value for email_verified just on its own. (I haven’t tested Twitter in detail and what claims exactly come back).

email_verified field is not present in my client code nor in the token

You cannot update the email_verified field directly in a Rule like this. It’s a protected field. I’ll provide you with a different code snippet in a bit how do change it (making a call to the Management API), especially since you want to persist that info anyway, and just using user.email_verified = true in the rule doesn’t persist it in the user store, it’s just a temporary change.

Update: @AntonioM

Here’s two approach, depending whether you want/need to persist the email_verified flag in the user store or of it’s sufficient to put it in the ID token (and afterwards forget about it).

With persistence (Rule code):

function (user, context, callback) {

  if (context.connectionStrategy === "twitter")  {

    var ManagementClient = require('auth0@2.6.0').ManagementClient;
    var management = new ManagementClient({
        token: auth0.accessToken,
        domain: auth0.domain
    });
        
     // persist in user store
    management.updateUser({id: user.user_id}, {email_verified:true})
    .then(function(u){    
      context.idToken.email_verified = u.email_verified;
      context.idToken.email = u.email;    
      callback(null, u, context);
    })
    .catch(function(err){
      callback(err);
    });     
  } else { // if not twitter
    callback(null, user, context);
  }

}

Without persistence (Rule code):

function (user, context, callback) {

  if (context.connectionStrategy === "twitter")  {
    context.idToken.email_verified = user.email_verified;
    context.idToken.email = user.email;
  }

  callback(null, user, context);
}

Topic		Replies	Views
Is twitter authentication broken for everyone? Help connections , other-built-in-social-connections	6	356	May 28, 2024
Confusion with switching from developer key to production key Help	2	4098	September 26, 2020
Replace developer key with production one in existing app Help	6	2188	April 22, 2022
How to send an email verification (with code) and require it to verify email after signup? Help signup , email-verification	4	6442	September 1, 2023
After changing user's email, no way to send them a verification email :( Help verification-email	2	4489	July 25, 2019

Suggested workflow for authentication via Twitter

Related topics