How to user `email_verified` field?

edvard · July 18, 2018, 5:43am

I am building a SPA + Rest API and integrating it with Auth0.

My SPA needs to know whether and when a user verifies their email. When a user just registers and logs in, their email is not verified, therefore id_token holds email_verified: false. While still on the page, a user might click the verify link on any device. id_token does not get updated, therefore, the SPA doesn’t know that a user has verified the application.

But the /userinfo endpoint would provide email_verified: true, but there is no way of knowing when to check the /userinfo endpoint and constant polling seems to be the only option.

Am I missing something, or oidc + auth0 doesn’t deal nicely with such scenarios? It seems to be such a basic feature, but solution far from straightforward.

markd · July 19, 2018, 6:21pm

I’m pretty sure that is correct. Maybe you could include an “I have verified my email address” button on your SPA? Otherwise, polling is the only option. As far as I know there’s no way to actively push a new id_token out to a user / device.

Topic		Replies	Views
How to update id_token on SPA once user clicks email verification link Help id_token , verification-email , email-verification	3	3470	September 4, 2019
Endpoint /tokeninfo returns stale email_verified value Help id_token , tokeninfo , email_verified	3	4149	March 2, 2018
Auth0 console says email is verified, but auth0 user in app says email_verified = false Help	6	4976	March 19, 2021
Auth0 returns a stale userInfo Help	7	5201	February 11, 2019
email_verified without re-login Help login , email_verified	5	4534	March 2, 2018

How to user `email_verified` field?

Related Topics