feat: add email verified claim

feat: add nonce claim support to oidc server (#686 )
* feat: add nonce claim support to oidc server * fix: review feedback
2026-03-05 14:22:05 +00:00 · 2026-03-04 15:52:31 +02:00 · 2026-03-04 15:34:11 +02:00
2 changed files with 6 additions and 1 deletions
--- a/internal/controller/well_known_controller.go
+++ b/internal/controller/well_known_controller.go
@@ -59,7 +59,7 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 		SubjectTypesSupported:             []string{"pairwise"},
 		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
 		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
-		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "groups"},
+		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
 		ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
 	})
 }
--- a/internal/service/oidc_service.go
+++ b/internal/service/oidc_service.go
@@ -49,6 +49,7 @@ type ClaimSet struct {
 	Exp               int64    `json:"exp"`
 	Name              string   `json:"name,omitempty"`
 	Email             string   `json:"email,omitempty"`
+	EmailVerified     bool     `json:"email_verified,omitempty"`
 	PreferredUsername string   `json:"preferred_username,omitempty"`
 	Groups            []string `json:"groups,omitempty"`
 	Nonce             string   `json:"nonce,omitempty"`
@@ -60,6 +61,7 @@ type UserinfoResponse struct {
 	Email             string   `json:"email,omitempty"`
 	PreferredUsername string   `json:"preferred_username,omitempty"`
 	Groups            []string `json:"groups,omitempty"`
+	EmailVerified     bool     `json:"email_verified,omitempty"`
 	UpdatedAt         int64    `json:"updated_at"`
 }

@@ -388,6 +390,7 @@ func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user
 		Exp:               expiresAt,
 		Name:              userInfo.Name,
 		Email:             userInfo.Email,
+		EmailVerified:     userInfo.EmailVerified,
 		PreferredUsername: userInfo.PreferredUsername,
 		Groups:            userInfo.Groups,
 		Nonce:             nonce,
@@ -583,6 +586,8 @@ func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope

 	if slices.Contains(scopes, "email") {
 		userInfo.Email = user.Email
+		// We can set this as a configuration option in the future but for now it's a good idea to assume it's true
+		userInfo.EmailVerified = true
 	}

 	if slices.Contains(scopes, "groups") {
Author	SHA1	Message	Date
Stavros	a71f61df8d	feat: add email verified claim	2026-03-04 15:52:31 +02:00
Stavros	6bf444010b	feat: add nonce claim support to oidc server (#686 ) * feat: add nonce claim support to oidc server * fix: review feedback	2026-03-04 15:34:11 +02:00