"email_verified=False" when user logs in with Github

Knowledge Solutions
, , ,
1

Problem statement

We noticed a user profile has “email_verified: false” with GitHub social login. What might cause the email_verified set to false?

Steps to reproduce

  1. Create a GitHub social login connection in your tenant
  2. Assign this connection to a test application
  3. Login via the test application, selecting the GitHub Social login
  4. Inspect the state of the “email_verified” attribute

Troubleshooting

If the user can confirm that they have set email_verified=True within their Github account, a HAR file of the login flow would confirm whether or not this attribute is being returned to Auth0 from Github.

Cause

The most likely reason is that Github does not force users to verify their email address

When a user logs in via a social connection, the email_verified attribute in the user’s profile will be updated with the value that is sent by the provider. This is explained in the Auth0 public documentation.

“By default, user profile attributes provided by identity providers other than Auth0 (such as Google, Facebook, Twitter) are not directly editable because they are updated from the identity provider each time the user logs in.”

So if the user has not verified their email address in Github, then email_verified=False would be what Auth0 retrieves from the social connection.

If stepping back and take a look at social connection providers in a broader context, you should note that not all of them provide the email_verified attribute to Auth0

“When users authenticate with a federated identity provider (e.g. a social or enterprise connection), the value of the email_verified field will match what the identity provider returns in the user profile. If the identity provider does not return any value, it will be set to false.”

This is documented in the Auth0 public documentation:
https://auth0.com/docs/manage-users/user-accounts/user-profiles/verified-email-usage#when-does-auth0-set-emails-as-verified-

If you are in any doubt about this, you can capture a HAR file of your login to the social provider:
​​​​​​​https://auth0.com/docs/troubleshoot/troubleshooting-tools/generate-and-analyze-har-files

When you analyze the file, you should be able to see what value of email_verified is provided by the social login provider.