OIDC and email_verified claim through OIN

Hi,

I am trying to setup a new OIDC integration for our applications.
So far, I created two integrations:

• one as a “private” application
• one through the OIN wizard

Using created users in our directory, I can successfully login using Okta through either integration.
But I noticed a discrepancy between the two implementations regarding the email_verified claim, that I cannot explain to myself and is blocking us so far.

Here are two results when calling /oauth2/v1/userinfo using an authorization token obtained through one or the other integration, for the same user :

1. Through “private” app integration

{
    "sub": "00uhxfz8npPZ0fq7T5d7",
    "email": "alexandre-doudou-okta2@yopmail.com",
    "email_verified": true
}

2. Through OIN app

{
    "sub": "00uhxfz8npPZ0fq7T5d7",
    "locale": "en-US",
    "email": "alexandre-doudou-okta2@yopmail.com",
    "preferred_username": "alexandre-doudou-okta2@yopmail.com",
    "given_name": "Alexandre",
    "family_name": "Doudou-Okta2",
    "zoneinfo": "America/Los_Angeles",
    "updated_at": 1719236685,
    "email_verified": false
}

This second call returns more information (which I can’t really explain either btw), but specifically the email_verified claim is true through private app, and false through OIN app.

Could I have any insights on to why this is happening and how can it be overcomed ?

Thanks !

Our OIN submission docs for OIDC integrations calls out a limitation for the email_verified claim:

• ISVs shouldn’t rely on the email_verified scope-dependent claim returned by an OIDC integration to evaluate whether a user has verified ownership of the email address associated with their profile.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.