Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello :slightly_smiling_face:

The option « Require verified address for login » under Account verification does not seem to have any effect with OIDC providers.
When I register, I am indeed redirected to the verification page. However, if I just ignore it (ex: by returning to the /ui/welcome page, or go to account settings /ui/settings), I can freely use the application.
If I logout and login again, nothing prevents me from accessing the app.

My project has a google provider. In account verification, I have both « Enable Email / Phone Verification » and « Require verified address for login » checked as well as « Show verification screen after password / OIDC registration » checked.

I made sure the address of my identity is unverified.

That setting only applies to the password method, because it doesn't work well with OIDC flows. E.g. when using social sign in the UX is terrible if you're not logged in immediately (because you still need to verify the address).
You can manually check the session's identity's verification status manually in your code.
See also: <https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#carry-over-verified-status-from-social-sign-in>