OpenID integration recent change

Hi all,

We use our own OpenID provider from AppSheet to authenticate users.

This provider does not fully implement the OAuth standard (only the openid scope) but it worked ok a few days ago.

This morning a message appears when logging in, telling the user that the Authentication provider did not verify his/her email : “Auth failure: this email address has not been verified. Please verify the email address with the identity provider before using it for AppSheet sign in.”

Did AppSheet OpenID integration change recently ? If so, will AppSheet provide an option in order to remove the email validation check from the provider or will we have to get our provider completed with the missing information ?

Thank you in advance for your answers,

Sébastien

1 Like

@praveen Any ideas about this failure?

1 Like

Hi @Sebastien_REGNOULT

Yes, we made these changes recently to harden security. As you know, most platform security uses defense-in-depth — in other words, provide different layers of security to catch problems. It would be desirable to change your provider to ensure user emails are verified. Is that possible at your end? I’m sorry for the disruption. We viewed this as a security issue that should not affect our customers, rather than a feature change. Thanks

As info for other readers …

“email_verified” is an OpenIdConnect standard claim. From the standard definition …

email_verified boolean True if the End-User’s e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.

1 Like

Hi @praveen

Thank you for your detailed answer. In fact our user enrollment process is done with email-verification but the information is currently lacking in the dataset returned to AppSheet as the provider only returns the “openid” scope set of data : we will have to change it in order to have AppSheet working again.

We understood from the OAuth documentation that the email_verified parameter was optional and, until now, did not need to have this kind of data returned.

Would you be able to change AppSheet’s interpretation of the lack of this parameter as a “true” instead of a “false” value, so that we can have some time to develop our change to the provider ?

Thanx once again,

Sébastien

Hi @Sebastien_REGNOULT, I’ve added @Scott_Haaland who works on this part of our product.

In general, we’d be concerned to interpret the absence of information as indicating that the email has been verified. We might be able to do something short-term just for your account. Do you mind please sending an email with the account details to support@appsheet.com and please indicate that the support ticket should be sent to Scott Haaland.

Thanks

1 Like