Last Updated: Aug 8, 2024
Overview
The custom DB email verification flow does not update the email_verified field in the user profile unless the user logs in a second time. Silent authentication or refresh token calls do not help renew the user profile for the email verification status because the Get User and Login scripts do not execute for these flows.
This limitation causes issues when attempting to insert the user’s email verification status in a custom claim in an ID token due to the additional login requirement.
Cause
The documentation related to the Email Verification script, Return a success, does not cover this use case. It recommends returning the following payload when an email is verified. As this sample script does not update the user’s email_verified field, it needs a new login to update it.
callback(null, true)
NOTE: For now, it is necessary to coerce the user_id to a string when returning it to the callback.
Solution
With the new response payload for the Verification script, as shown below, the email_verified field is updated in the user profile when the email verification link is consumed. This allows the user profile to be updated on Auth0. A silent authentication or refresh token call can then help get an updated email verification status in a custom claim without the need to log in.
let profile = {
user_id: “xxx”,
email: “xxx”,
email_verified: true
};
return callback(null, profile);
NOTE: user_id must be a string.