Auth0 users can log in without e-mail verification even when it's required

Created on 26 January 2023, almost 2 years ago
Updated 27 January 2023, almost 2 years ago

Problem/Motivation

Checking the box Require email verification when a visitor creates an account has no effect; it's completely ignored.

Steps to reproduce

  1. At Administration -> Configuration -> People -> Settings, check Require email verification when a visitor creates an account.
  2. Set up your IDP to request e-mail address verification (e.g. Auth0 does this by default).
  3. Have a new unverified user attempt to log in.
  4. The user is able to log in successfully, without having to verify their e-mail address.

This shouldn't be happening if that checkbox is checked.

Proposed resolution

Don't let the user log in until their email_verified attribute comes back as TRUE.

Remaining tasks

Do it.

User interface changes

None, except that there will an error message on login failure.

API changes

Maybe check for this in OpenIDConnectRedirectController->authenticate()?

Data model changes

None.

Workaround

Get the IDP to fail the attempt before returning.

Here's some info on how you can do this with Auth0:

🐛 Bug report
Status

Closed: duplicate

Version

3.0

Component

Code

Created by

🇨🇦Canada colan Toronto 🇨🇦

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @colan
  • Status changed to Closed: duplicate almost 2 years ago
  • 🇵🇹Portugal jcnventura

    That checkbox only applies when creating a user via the standard Drupal process. I'm assuming that for this scenario you are allowing users to be created by the OpenID Connect module. The module trusts the IDP to have verified the user. If you don't trust the IDP, please don't allow it to create users.

    If Auth0 supports a email_verified, it seems to me obvious that the the Auth0 plugin should not allow users to login email_verified set to FALSE. Seems to be a bug in the Auth0 plugin that should be fixed there.

  • 🇵🇹Portugal jcnventura

    That checkbox only applies when creating a user via the standard Drupal process. I'm assuming that for this scenario you are allowing users to be created by the OpenID Connect module. The module trusts the IDP to have verified the user. If you don't trust the IDP, please don't allow it to create users.

    If Auth0 supports a email_verified, it seems to me obvious that the the Auth0 plugin should not allow users to login email_verified set to FALSE. Seems to be a bug in the Auth0 plugin that should be fixed there.

  • Status changed to Active almost 2 years ago
  • 🇨🇦Canada colan Toronto 🇨🇦

    If there are no other IDPs that operate like this (I have no idea), then you have a point. Let's keep this as a follow-up issue though, and get that one in first.

  • Status changed to Postponed almost 2 years ago
  • 🇵🇹Portugal jcnventura

    OK. In any case the module doesn't have Auth0 support yet. Once it does, we can unblock this.

  • Status changed to Closed: duplicate almost 2 years ago
  • 🇨🇦Canada colan Toronto 🇨🇦

    Configuring this at the IDP is actually trivial so I simply added docs for this on the Auth0 form, which is now in Add native support for Auth0 Needs review . So there's no coding necessary here.

Production build 0.71.5 2024