I am building a SPA + Rest API and integrating it with Auth0.
My SPA needs to know whether and when a user verifies their email. When a user just registers and logs in, their email is not verified, therefore id_token holds email_verified: false. While still on the page, a user might click the verify link on any device. id_token does not get updated, therefore, the SPA doesn’t know that a user has verified the application.
But the /userinfo endpoint would provide email_verified: true, but there is no way of knowing when to check the /userinfo endpoint and constant polling seems to be the only option.
Am I missing something, or oidc + auth0 doesn’t deal nicely with such scenarios? It seems to be such a basic feature, but solution far from straightforward.