Is there an existing issue for this?
Describe the issue
As reported in this comment on #1116, the Okta provider does not seem to return the email_verified claim in the ID token by default. This prevents users from logging in, resulting in the error:
Authentication failure: email not verified
This behavior appears to be due to Okta returning thin tokens to avoid bloating them with excessive information.
The suggested fix is to retrieve the email_verified claim from the /userinfo endpoint after successfully obtaining the access token.
I have verified that the /userinfo endpoint does include this claim for the Okta provider.
Keycloak also provides an option to include this claim in the /userinfo endpoint (enabled by default).
Steps to reproduce
Try logging in with okta using the generic broker.
System information and logs
No response
Double check your logs
Is there an existing issue for this?
Describe the issue
As reported in this comment on #1116, the Okta provider does not seem to return the
email_verifiedclaim in the ID token by default. This prevents users from logging in, resulting in the error:This behavior appears to be due to Okta returning thin tokens to avoid bloating them with excessive information.
The suggested fix is to retrieve the
email_verifiedclaim from the/userinfoendpoint after successfully obtaining the access token.I have verified that the
/userinfoendpoint does include this claim for the Okta provider.Keycloak also provides an option to include this claim in the
/userinfoendpoint (enabled by default).Steps to reproduce
Try logging in with okta using the generic broker.
System information and logs
No response
Double check your logs