Assuming ‘email’ scope is included when initiating a oidc flow to get tokens.
I am wondering why ‘email_verified’ claim is not included in the id token when the token is exchanged using ‘code’ flow. However, the ‘email_verified’ claim is included in the id token when exchanging with ‘implicit’ flow.
Thanks so much for the help!
Hi @myang, according to the spec it can also be found at the /userinfo endpoint - Final: OpenID Connect Core 1.0 incorporating errata set 1 ; this is assuming you are requesting a code or hybrid flow with both access and id token (aka thin token), but if you are only requesting the id_token (aka fat token) you will get the full list of claims - Okta Help Center (Lightning).
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.