email_verified is false, despite the address being confirmed
Closed this issue · 6 comments
I'm trying to connect our Nextcloud as an IDP to Grist. Grist needs the email_verified field in the token, as it does user matching by email address.
However, the token returned contains "email_verified": false for all users I tried it on. All of them were created through the user admin interface of Nextcloud, but they set their passwords themselves after receiving the invitation mail. Is this a bug of Nextcloud or of this app?
Thank you for your time.
This is what OCC prints about my user (occ user:info myusername):
- user_id: myusername
- display_name: [...]
- email: my@email.com
- cloud_id: myusername@mynextcloud.com
- enabled: true
- groups: [...]
- quota: none
- storage: [...]
- last_seen: 2023-12-20T09:53:02+00:00
- user_directory: /var/www/html/data/myusername
- backend: Database
Nothing about email verification.
This really seems to be a bug in oidc app. Please have a look at version 0.7.3 which should now correctly sets the claim veriefied_email based on the email verification of the Nextcloud user.
As far as I know the email verification it is not shown via the occ command. You can check if the email verification has been performed in the Nextcloud database. In the table accounts you will find in the column data which contains something like
{...,"email":{"value":"user1@abc.com","scope":"v2-federated","verified":"2"},...}
Value 2 for attribute verified is set in case the email has been verified. Value 0 means no email verification performed and value 1 means verification is in progress.
Hey @H2CK, thanks for your update. I installed it and tried again, but was unable to get email_verified to be true. I have an instance of Nextcloud provided by a hosting provider, so sadly I'm unable to access the database directly. Do you know of any way to look this up through the UI or API?
I think this is generally more of an issue about how Nextcloud handled email verification previously, because on older users created by admins, the users did have to set their password via mail, but their email was not viewed as verified. This behaviour seems to different for new users, where now the verified claim works as expected.
For NC28: Under "Personal Settings" you are able to view the verification state for at least "Additional emails". If you click on the three dots you might find an entry in the menu stating "This address is not confirmed" if the address is not verified.
Are you able to edit your email address, which might initiate a new verification process? Or is this email set by your provider?
I am thinking of a configuration setting in the oidc app to overwrite the email verification information from Nextcloud.
We're still on 27 (annoyingly our provider didn't update yet), but I can see the state of the additional addresses.
What works:
- Add another, not yet used email ("email-b")
- Verify email-b
- Make email-b primary
- Remove previous primary mail ("email-a")
- It works (
email_verifiedis true andemailis "email-b")
However, what I can't do:
- I cannot add email-a as email-b (since that would be a duplicate). So I would need a different email for every user that's already added.
- I can, after removing email-a and making email-b primary, re-add email-a. However, NC will not show me the option to verify email-a, despite
email_verifiednow being false again. This really seems like a bug in NC. - If I skip step 4 and keep email-a around,
email_verifiedis false, but theemailclaim is email-b (which I did verify). So it seems like the emails are mixed up, in thatemail_verifiedtakes the validation status of email-a, butemailis email-b.
I think somehow these users were created in a time where NC had a bug around verification, and now it's acting a little weird.
Please have a look at version 0.8.0. In this version you are able to set the behavior for the email_verified claim in the token. In the settings you can choose to set always to true or use the Nextcloud information as source.