Know if an email address is validated in JWT
I'm using .Net with the OIDC integration / middleware. Most everything seems to be working well, except I need to know if the user has verified their email. I noticed while debugging there is a claim that comes back on the JWT, "ext_provider" which has this information, but I only saw it come across with a value once. I also didn't see any documentation on this claim.
How do I determine that a user has in fact verified their account?
5 Replies
Can you confirm if you are looking for this information to come back via a Social SSO like Google or with standard email and password authentication?
@Andre @ Kinde, I don't need this with social login because those emails are already "verified" by proxy essentially. I just need to know that the Kinde (email / password in my case) user has verified their email.
Thanks for confirming. So whenever a new user is create via password/passwordless we get the user to do a OTP to their email address to verfiy that they own that email.
So its safe to assume that once a new user reaches your product, we have verified them for you and hence why you would only see the verfied value come through once.
Ok, so there is no way to let the user into our app to engage with it until they've confirmed their info via OTP. Any plans to change that? Not saying that's a bad idea, just thinking about our current situation where we allow the user to browse around our site with some more functionality after logging in even if they haven't validated their account yet.
No immediate plans to change that. But we might look into it being a toggle functionality for each business to choose. The alternative way we are looking at it is via anonymous users, where a user can be created on our side without being verified and be issued a token and then you force the user to verify at some point.