This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

OpenID integration recent change

Posted on 08-23-2020 07:17 PM
Sebastien_REGNO
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi all,

We use our own OpenID provider from AppSheet to authenticate users.

This provider does not fully implement the OAuth standard (only the openid scope) but it worked ok a few days ago.

This morning a message appears when logging in, telling the user that the Authentication provider did not verify his/her email : โ€œAuth failure: this email address has not been verified. Please verify the email address with the identity provider before using it for AppSheet sign in.โ€

Did AppSheet OpenID integration change recently ? If so, will AppSheet provide an option in order to remove the email validation check from the provider or will we have to get our provider completed with the missing information ?

Thank you in advance for your answers,

Sรฉbastien

1 5 606
Topic Labels
5 REPLIES 5

Posted on --/--/---- --:-- AM
Aleksi
Staff
Reply posted on --/--/---- --:-- AM

@praveen Any ideas about this failure?

Posted on --/--/---- --:-- AM
pravse
Staff
Reply posted on --/--/---- --:-- AM

Hi @Sebastien_REGNOULT

Yes, we made these changes recently to harden security. As you know, most platform security uses defense-in-depth โ€” in other words, provide different layers of security to catch problems. It would be desirable to change your provider to ensure user emails are verified. Is that possible at your end? Iโ€™m sorry for the disruption. We viewed this as a security issue that should not affect our customers, rather than a feature change. Thanks

As info for other readers โ€ฆ

โ€œemail_verifiedโ€ is an OpenIdConnect standard claim. From the standard definition โ€ฆ

email_verified boolean True if the End-Userโ€™s e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.

Posted on --/--/---- --:-- AM
Sebastien_REGNO
Bronze 2
Bronze 2
In response to pravse
Reply posted on --/--/---- --:-- AM

Hi @praveen

Thank you for your detailed answer. In fact our user enrollment process is done with email-verification but the information is currently lacking in the dataset returned to AppSheet as the provider only returns the โ€œopenidโ€ scope set of data : we will have to change it in order to have AppSheet working again.

We understood from the OAuth documentation that the email_verified parameter was optional and, until now, did not need to have this kind of data returned.

Would you be able to change AppSheetโ€™s interpretation of the lack of this parameter as a โ€œtrueโ€ instead of a โ€œfalseโ€ value, so that we can have some time to develop our change to the provider ?

Thanx once again,

Sรฉbastien

0 Likes

Posted on --/--/---- --:-- AM
pravse
Staff
In response to Sebastien_REGNO
Reply posted on --/--/---- --:-- AM

Hi @Sebastien_REGNOULT, Iโ€™ve added @Scott_Haaland who works on this part of our product.

In general, weโ€™d be concerned to interpret the absence of information as indicating that the email has been verified. We might be able to do something short-term just for your account. Do you mind please sending an email with the account details to support@appsheet.com and please indicate that the support ticket should be sent to Scott Haaland.

Thanks

Posted on --/--/---- --:-- AM
NewJersey
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

What's your IDP? In the id_token, do you have the field email_verified: true for your user?

Best Regards!

0 Likes
Top Labels in this Space