Email missing from profile created through Facebook login

While testing our Facebook social login we noticed that in one of the cases the email address is missing from the Auth0 user profile. We verified the Facebook account has a primary email address and the email checkbox (and therefore scope) has been checked when first logging in. No reason the email address should be missing, because with another account it works as expected. We also tried removing the app from the Facebook account and deleting Auth0 profile (starting fresh). Without any luck.

Another strange thing is email_verified = truein the RAW JSON tab of the user profile, while the email attribute is missing.

Apparently the same issue as user hsq125. See Can't get email from id_token - Auth0 Community

This discussion might be useful: https://github.com/mkdynamic/omniauth-facebook/issues/61. The user borama mentions it happens in 2% of the logins (comment from 2012, so might be unrelated). This might be innacurate, but the fact that it happened on our second test is alarming. It breaks our login flow and requires dirty hacks to solve.

Anyone has an idea how to resolve this?

I can’t provide steps to reproduce, but are willing to demonstrate through a TeamViewer session if needed.

3 Likes

Same here.
Also, we can not modify the email address of an user after its registration. If it was possible, we could ask him after he sings up

1 Like

When a user creates a facebook account they can do this either by email or by phone number. These facebook users are users who created an account by phone number. I don’t know why it comes through as email_verified true - they should be phone_verified true instead. I’ve not yet been able to solve this in an elegant way. It really needs a change from auth0 to correctly handle these users.

2 Likes

Auth0, any update on this? The email_verified flag should be a secure way of telling the email adress is valid and verified. Now I still have workarounds in my codebase. I can’t imagine we’re the only three people experiencing this issue.

3 Likes

Same here.

So far I’ve experienced 4 serious bugs with Auth0, and have received no reply from support. Overall, using Auth0 has been more difficult than writing my own auth from scratch.

5 Likes

:wave: @maurits I’m sorry that you’ve been experiencing this issue for a while now. Let’s see what we can do! It’ll be a bit tricky since it seems to not be easily reproducible on my side. It seems the community topic you linked to was a case of needing to select the email address attribute which I believe we can rule out that option since you specified you are requesting it (Facebooks default attributes can be found here which include public profile items, email not being one, so we must include it in the social connection settings). You also said the user has an email, so I don’t believe it’s the case where a user has only a phone number associated with their Facebook and no email, but if that was the case we could remedy this with a Redirect Rule and send the user to an a page where they can enter an email for their account and call the Auth0 Management API PATCH user endpoint to store the email in the user’s user_metadata: Auth0 Management API v2 since we wouldn’t be able to update the email attribute coming from the IdP, Facebook in this case.

If a user denies the attribute/permission(s) we could re-prompt the user as described here by using the prompt=consent parameter. Depending on your use case, we can also consider progressive profiling.

https://auth0.com/docs/connections/social/reprompt-permissions

@daninfpj I apologize you’ve been experiencing several issues with the product. Can you share with me the support tickets you’ve open and I can take a look? Or if you’d like to share your experience(s) and how we can improve? Please feel free to DM as well.