Skip to content

website/docs: add email verification scope doc #20141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dewi-tik wants to merge 3 commits into
base: main
Choose a base branch
from
+25 −1
Open

website/docs: add email verification scope doc #20141

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8f6fe07
WIP
dewi-tik Feb 10, 2026
6c91818
Add link to 2025.10 release notes
dewi-tik Feb 10, 2026
2a665d4
Apply suggestions from code review
dewi-tik Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ...e/docs/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
Copy link
Contributor Author

@dewi-tik dewi-tik Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed this because the text is cut off in the sidebar.

title: OAuth2/OpenID Connect front-channel and back-channel logout
title: Front-channel and back-channel logout
description: Configure front-channel and back-channel logout for OAuth2/OpenID Connect providers
authentik_version: "2025.8.0"
authentik_preview: true
Expand Down
22 changes: 22 additions & 0 deletions website/docs/add-secure-apps/providers/oauth2/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,28 @@ This does _not_ apply to special scopes, as those are not configurable in the pr
- `user:email`: Allows read-only access to `/user`, including email address
- `read:org`: Allows read-only access to `/user/teams`, listing all the user's groups as teams.

### Email scope verification

In authentik releases prior to 2025.10, the email scope always set the `email_verified` claim to `true`. Since authentik does not have a single authoritative source to determine whether a user's email is actually verified, asserting this claim could have security implications. As of 2025.10, `email_verified` now defaults to `false`.

Some applications require this claim to be `true` in order to authenticate users. In those cases, you can define a custom email scope mapping that always returns `email_verified` as `true`:

```python
return {
"email": request.user.email,
"email_verified": True
}
```

For greater security guarantees, verify users' email addresses and store the verification status as a user attribute (for example, `email_verified` set to `true` or `false`). You can then configure the scope mapping to return this value dynamically:

```python
return {
"email": request.user.email,
"email_verified": request.user.attributes.get("email_verified", False)
}
```

## Signing & Encryption

[JWTs](https://jwt.io/introduction) created by authentik will always be signed.
Expand Down
2 changes: 2 additions & 0 deletions website/docs/releases/2025/v2025.10.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ In previous releases with the default scope mappings, we set the `email_verified

Some applications may require this claim to be `true` to successfully authenticate users, in which case you can create a custom `email` scope mapping that returns `email_verified` as `true`.

For more information, refer to the [Email scope verification documentation](../../add-secure-apps/providers/oauth2/index.mdx#email-scope-verification).

## New features and improvements

### SCIM provider OAuth support :ak-enterprise
Expand Down
Loading