How to get the `phone_number_verified` claim in the ID Token

Question:

How can I get a phone_number_verified claim in the ID token?

Answer:

When a user is identified via the passwordless SMS connection, they get two properties in the Auth0 profile: phone_number and phone_verified.

The OIDC spec defines the scope phone that should return the phone number and its verified status claims. However, the standard OIDC claim for the verified flag is phone_number_verified, different from the phone_verified property in the Auth0 user profile.

If you want applications to get the phone verified status when requesting the openid phone scopes, you can use a rule like this:

function (user, context, callback) {
  // "phone_verified" is a non-standard property
  // "phone_number_verified" is the standard OIDC claim
  user.phone_number_verified = user.phone_verified || false;
  callback(null, user, context);
}

After doing this (and assuming that the scope includes openid phone) the ID should contain both claims in the payload:

{
  "phone_number": "+1xxxxxxxxxx",
  "phone_number_verified": true,
  "iss": "https://xxxxxxx.auth0.com/",
  "sub": "auth0|abcdefgh038cae00688191e0",
  "aud": "xxxxxxmN5aCcuumhzj46R09mRre5Gicj",
  "iat": 1622747501,
  "exp": 1622751101,
  "nonce": "nonce"
}

If not using a Passwordless SMS Connection

You can also set phone_number in the rule if you want to get the phone number from a different place (e.g. metadata), and it will work even if it’s not a Passwordless SMS connection. E.g.:

function (user, context, callback) {
  // an example on how to get this data from a different source
  // remember that you need "phone" in the scope to get these two values.
  user.phone_number = user.app_metadata && user.app_metadata.phone;
  user.phone_number_verified = false;
  callback(null, user, context);
}
3 Likes