How to user `email_verified` field?

I am building a SPA + Rest API and integrating it with Auth0.

My SPA needs to know whether and when a user verifies their email. When a user just registers and logs in, their email is not verified, therefore id_token holds email_verified: false. While still on the page, a user might click the verify link on any device. id_token does not get updated, therefore, the SPA doesn’t know that a user has verified the application.

But the /userinfo endpoint would provide email_verified: true, but there is no way of knowing when to check the /userinfo endpoint and constant polling seems to be the only option.

Am I missing something, or oidc + auth0 doesn’t deal nicely with such scenarios? It seems to be such a basic feature, but solution far from straightforward.

1 Like

I’m pretty sure that is correct. Maybe you could include an “I have verified my email address” button on your SPA? Otherwise, polling is the only option. As far as I know there’s no way to actively push a new id_token out to a user / device.

1 Like