Question:
How can I get a phone_number_verified claim in the ID token?
Answer:
When a user is identified via the passwordless SMS connection, they get two properties in the Auth0 profile: phone_number and phone_verified.
The OIDC spec defines the scope phone that should return the phone number and its verified status claims. However, the standard OIDC claim for the verified flag is phone_number_verified, different from the phone_verified property in the Auth0 user profile.
If you want applications to get the phone verified status when requesting the openid phone scopes, you can use a rule like this:
function (user, context, callback) {
// "phone_verified" is a non-standard property
// "phone_number_verified" is the standard OIDC claim
user.phone_number_verified = user.phone_verified || false;
callback(null, user, context);
}
After doing this (and assuming that the scope includes openid phone) the ID should contain both claims in the payload:
{
"phone_number": "+1xxxxxxxxxx",
"phone_number_verified": true,
"iss": "https://xxxxxxx.auth0.com/",
"sub": "auth0|abcdefgh038cae00688191e0",
"aud": "xxxxxxmN5aCcuumhzj46R09mRre5Gicj",
"iat": 1622747501,
"exp": 1622751101,
"nonce": "nonce"
}
If not using a Passwordless SMS Connection
You can also set phone_number in the rule if you want to get the phone number from a different place (e.g. metadata), and it will work even if it’s not a Passwordless SMS connection. E.g.:
function (user, context, callback) {
// an example on how to get this data from a different source
// remember that you need "phone" in the scope to get these two values.
user.phone_number = user.app_metadata && user.app_metadata.phone;
user.phone_number_verified = false;
callback(null, user, context);
}