email_verified field in the id_token?

Is there an email_verified field in the id_token (only from iOS?)? Can it be false?

Up vote post of nononononononono Down vote post of nononononononono
2.4k views
Posted by
nononononononono
Reply
Add a Comment

Accepted Reply

Thanks for the details. We did introduce this claim in the ID token recently to communicate that this is a verified email address.


Since we will only return verified email address this value when included will always be true. We decided to include this so that applications that depend this claim to recognize a verified email can continue to do so.

Posted by
Apple Staff
Up vote reply of Apple Staff Down vote reply of Apple Staff
Post marked as solved
Add a Comment

Replies

Also: if I don't see the email_verified field in tokens (like I am not for tokens from web sign ins) does that mean email_verified: true?

Posted by
nononononononono
Up vote reply of nononononononono Down vote reply of nononononononono
Add a Comment

There is no "email_verified" field in the response as only verified email will be returned.

Posted by
Apple Staff
Up vote reply of Apple Staff Down vote reply of Apple Staff
Add a Comment

Thanks for the info sudhakar19. I did get a token from the iOS SDK that decoded into claims like this:

{
  "iss": "https://appleid.apple.com",
  "aud": "my aud",
  "exp": 1565810682,
  "iat": 1565810082,
  "sub": "some sub",
  "c_hash": "hash",
  "email": "emailaddress",
  "email_verified": "true",
  "auth_time": 1565810082
}


and there is an `email_verified` field in there.

Posted by
nononononononono
Up vote reply of nononononononono Down vote reply of nononononononono
Add a Comment

Thanks for the details. We did introduce this claim in the ID token recently to communicate that this is a verified email address.


Since we will only return verified email address this value when included will always be true. We decided to include this so that applications that depend this claim to recognize a verified email can continue to do so.

Posted by
Apple Staff
Up vote reply of Apple Staff Down vote reply of Apple Staff
Post marked as solved
Add a Comment
The type of the email_verified (standard) claim is String. According to the specification [1] it should be boolean.

Example.
"email_verified": "true"
should be:
"email_verified": true

[1] openid.net/specs/openid-connect-core-1_0.html#StandardClaims
Posted by
schildmeijer
Post not yet marked as solved Up vote reply of schildmeijer Down vote reply of schildmeijer
Add a Comment

@Apple Staff To Confirm Apple has introduced a bug in the form of an Improperly formatted Token.
The claim "email_verified" SHOULD be of Type BOOLEAN and NOT String as stated with the OpenID Standard. openid.net/specs/openid-connect-core-1_0.html#StandardClaims

NOTE: Currently ALL Salesforce Organization their Apple Auth Provider Setup now Fails because of this and they are asking Us Users to request Apple fix their NON-Standard Id_Token format.

Is this something that can be fixed?

Posted by
Scott-Kent-FundPanel
Up vote reply of Scott-Kent-FundPanel Down vote reply of Scott-Kent-FundPanel
Add a Comment

@Apple Staff To Confirm Apple has introduced a bug in the form of an Improperly formatted Token. The claim "email_verified" SHOULD be of Type BOOLEAN and NOT STRING as stated with the OpenID Standard. openid.net/specs/openid-connect-core-1_0.html#StandardClaims

NOTE: Currently ALL Salesforce Organization their Apple Auth Provider Setup now Fails because of this and they are asking Us Users to request Apple fix their NON-Standard Id_Token format.

Is this something that can be fixed?

Posted by
Scott-Kent-FundPanel
Up vote reply of Scott-Kent-FundPanel Down vote reply of Scott-Kent-FundPanel
Add a Comment