Problem statement
We force email verification in our app. Most social users can log in fine as their emails are already verified, but certain Salesforce users have email_verified: false, and we cannot verify their email on Auth0 either.
Cause
Social identity providers like Salesforce send claims about the user’s email_verified status, and Auth0 sets the email_verified attribute based on that. In the majority of Identity Providers, the users need to verify their emails in the beginning, but this is not the case with Salesforce. Due to this, sometimes might be seen the Salesforce users with email_verified: false.
Solution
The user should ideally verify their email on the Salesforce end. When the user logs in to the app after this, their email_verified property will be set to true.
If it’s really important that Salesforce users can continue to access the app despite email_verified status, consider relaxing the email verification logic for users from this connection. However, this is not recommended unless there is a strong reason to do so and one understands the consequences.