How to include email address in ID Token
Closed this issue · 2 comments
Hi,
I would like to have the email address of the user to be included in the ID Token. This answer on StackOverflow suggests that this should be possible. However, it somehow doesn't seem to work as the returned ID Token doesn't contain this information. Any hints would be highly appreciated.
What I did in my attempt to achieve this is (no other changes have been made):
Client Creation
When creating the client, I have added the email and profile scopes, i.e. (see third last line):
curl --request POST \
--url http://127.0.0.1:4445/admin/clients \
--header 'Content-Type: application/json' \
--data '{
"grant_types": [
"authorization_code",
"refresh_token"
],
"redirect_uris": [
"http://127.0.0.1:5555/callback"
],
"response_types": [
"code",
"id_token"
],
"scope": "openid offline email profile",
"token_endpoint_auth_method": "none",
"skip_consent": true
}'Request Scopes
When requesting the authorization code:
http://127.0.0.1:4444/oauth2/auth?client_id=$CLIENT_ID&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&state=1102398157&scope=offline%20openid%20email%20profileHi Sven,
To get the email scope, the email needs to be verified. In this repo, I removed mailslurper and the verification flows, so you would need to add those back in.
More details are in the Ory Docs
I have created a branch that enables verification. It works when I tested it with a new user and used @strieflin's client creation and request scope snippets. I.e. exchanging the authorization code provides a JWT id_token that includes 'email' and 'email_verified' claims.