How to user `email_verified` field?

edvard · July 18, 2018, 5:43am

I am building a SPA + Rest API and integrating it with Auth0.

My SPA needs to know whether and when a user verifies their email. When a user just registers and logs in, their email is not verified, therefore id_token holds email_verified: false. While still on the page, a user might click the verify link on any device. id_token does not get updated, therefore, the SPA doesn’t know that a user has verified the application.

But the /userinfo endpoint would provide email_verified: true, but there is no way of knowing when to check the /userinfo endpoint and constant polling seems to be the only option.

Am I missing something, or oidc + auth0 doesn’t deal nicely with such scenarios? It seems to be such a basic feature, but solution far from straightforward.

markd · July 19, 2018, 6:21pm

I’m pretty sure that is correct. Maybe you could include an “I have verified my email address” button on your SPA? Otherwise, polling is the only option. As far as I know there’s no way to actively push a new id_token out to a user / device.

Topic		Replies	Views
How to update id_token on SPA once user clicks email verification link Get Help id_token , verification-email , email-verification	3	3487	September 4, 2019
email_verified without re-login Get Help login , email_verified	5	4558	March 2, 2018
Calling user info endpoint returns stale information for email verified attribute Get Help user-info	8	5471	March 2, 2018
Endpoint /tokeninfo returns stale email_verified value Get Help id_token , tokeninfo , email_verified	3	4169	March 2, 2018
Check if email_verified without signing in again. Get Help email_verified	2	7385	March 2, 2018

How to user `email_verified` field?

Related topics