Auth0 Home Blog Docs

How to user `email_verified` field?

oidc
spa

#1

I am building a SPA + Rest API and integrating it with Auth0.

My SPA needs to know whether and when a user verifies their email. When a user just registers and logs in, their email is not verified, therefore id_token holds email_verified: false. While still on the page, a user might click the verify link on any device. id_token does not get updated, therefore, the SPA doesn’t know that a user has verified the application.

But the /userinfo endpoint would provide email_verified: true, but there is no way of knowing when to check the /userinfo endpoint and constant polling seems to be the only option.

Am I missing something, or oidc + auth0 doesn’t deal nicely with such scenarios? It seems to be such a basic feature, but solution far from straightforward.


#2

I’m pretty sure that is correct. Maybe you could include an “I have verified my email address” button on your SPA? Otherwise, polling is the only option. As far as I know there’s no way to actively push a new id_token out to a user / device.