Proper way to configure OIDC with email verification?

[marcinkoziej]

Hi!
I have confiured the OIDC with Google, and it works, however, the verifiable_emails array contains the email with verified: false and status: "pending".
I'd like the email fetched via OIDC be treated as verified because Google has verified it already

My config is as follows:

Kratos:

selfservice:
(..._
  methods:
(....) 
   oidc:
      enabled: true
      config:
        providers:
          - id: google
            provider: generic
            client_id: "..............................................apps.googleusercontent.com"
            client_secret: "........................................................."
            issuer_url: https://accounts.google.com
            auth_url: https://accounts.google.com/o/oauth2/v2/auth
            token_url: https://oauth2.googleapis.com/token
            mapper_url: file:///ory/kratos/google.jsonnet
            scope:
              - email
              - profile
            requested_claims:
              id_token:
                email:
                email_verified:

google.jsonnet is [i thought the email_verified: true at line 2 makes the it true by default]:

local claims = {
  email_verified: true
} + std.extVar('claims');

{
  identity: {
    traits: {
      [if "email" in claims && claims.email_verified then "email" else null]: claims.email,
			first_name: claims.given_name,
			last_name: claims.family_name,
    },
  },
}

The identity spec contains traits: email, first_name, last_name:

{
  "$id": "https://fixthestatusquo.com/schemas/identity.schema.json",
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "minLength": 3,
          "ory.sh/kratos": {
            "credentials": {
              "password": {
                "identifier": true
              }
            },
            "verification": {
              "via": "email"
            },
            "recovery": {
              "via": "email"
            }
          }
        },
        "first_name": {
          "type": "string",
          "title": "First name",
          "minLength": 1
        },
        "last_name": {
          "type": "string",
          "title": "Last name",
          "minLength": 1
        }
      },
      "required": [
        "first_name",
        "last_name",
        "email"
      ],
      "additionalProperties": false
    }
  }
}

[vinckr]

Do you want users that authenticate over Google to have a verified email automatically
or
is the check if the email was actually verified not working?

I dont know how the email verification works on Googles part, but I would be willing to dig a little deeper with you, just want to make sure I get the issue right 🙂 .

Does the OIDC setup with Google work as intended?
If you are up to it, we are still missing a definite guide to setup Google as OIDC provider here. Would be happy to work with you on that 🙂

[marcinkoziej]

The former, yes. I want to trust Google that it verified emails and this stack overflow answer says Google will pass email_verified: true always.

However I can't make Kratos to accept it, and I cannot get it to log out the content of claims received from Google (I've set logging to debug).

[marcinkoziej]

@vinckr I have just grepped & stared at the kratos source code for 2 hours and I can see that this is not at all supported by Kratos at this moment.

Registration flow for Generic OIDC method

1. The OIDC configuration works well in that it receives Claims properly from Google:
   The broken down Printf() of Claims struct looks like this:

mapper_jsonnet_url=file:///ory/kratos/google.jsonnet oidc_claims=&{https://accounts.google.com 
10625425596338xxxxxx600 
Marcin Ossowski Marcin Ossowski      
https://lh3.googleusercontent.com/a-/AOh14GXXXXXXXXXXXXXXv1f9RmaVNHpmwgv=s96-c  
[email protected] <-- my email here
 true        <- email_verified here
 en  
false 
0} oidc_provider=google service_name=kratos service_version=

2. Kratos is absolutely not using this information :O
   • In processRegistration, the identity is created (traits are generated by jsonnet mapper and yield a good result with first_name, last_name, email)
   • The PostRegistrationPrePersistHooks are run - and there are 0 such hooks
   • The PostRegistrationPostPersisHoox are run - there is just one, which actually sends me the verifiaction email
3. Ideally, there would be a PostRegistrationPrePersistHooks called "recognize_verification" or similar that would mark identity.VerifiableAddresses corresponding to identity.email as verified; Or, the code which creates VerifiableAdresses array with elements, would create such address already verified (I was not able to localize the code that does it though; it's possible that it has access only to traits but not to Claims, in which case it will not be able to access the Claims.EmailVerified.

The hook code is very convoluted to me with many levels of abstraction, so I must admin I have no idea how to properly fix this - I should probably create an issue based on this discussion topic, right ?

[vinckr]

Thanks for investigating this so thoroughly marcinkoziej!

@zepatrik Maybe you can confirm this is a bug/missing feature?

Lets see what the Maintainers say, but it will probably lead to an issue yes 🙂 .

[zepatrik]

Yes, this looks not implemented. Lets open an issue and discuss the implementation there.

[zepatrik]

ah right, it is already opened 👍 @vinckr #1057

[vinckr]

Ok, I am marking this as "solved" for now, as the feature is not implemented and further discussion around a future implementation will take place in this issue: #1057