Login via OIDC skips email verification for unveri...
# ory-selfhostingh
helpful-fish-56090
01/29/2025, 4:46 PMLogin via OIDC skips email verification for unverified address
Hi everyone,
I am facing an issue with my self-hosted kratos. When a user registers via microsoft OIDC provider login and does not complete the email verification step during the registration flow, following login attempts using the same email account skips the verification step and proceed to login as usual, even though the email is unverified.
Steps to Reproduce:
1. Go to login page and select partner login with microsoft as the login method.
2. You're redirected to microsoft login page where can login in using a valid microsoft account that has not been previously registered.
3. After loging in on microsoft side you're redirected back to our verification step, to input the email verification step.
4. Close the page without completing the verification process.
5. Go to a new login page (preferably without cache) and go again through the partner login with microsoft with the same account as above. You are logged in successfully without being prompted with a verification step
Here is the kratos.config.yaml:
Copy code
flows:
login:
lifespan: 2h
after:
hooks:
- hook: web_hook
config:
# url: <http://localhost:10805/foo?flow=login|http://localhost:10805/foo?flow=login> # sets via SELFSERVICE_FLOWS_LOGIN_AFTER_HOOKS_0_CONFIG_URL
method: "POST"
body: file:///app/hook.segment_identify.jsonnet
response:
ignore: true
password:
hooks:
- hook: require_verified_address
oidc:
hooks:
- hook: require_verified_address
registration:
lifespan: 2h
enabled: true
after:
hooks:
- hook: web_hook
config:
# url: <http://localhost:10805/foo?flow=registration|http://localhost:10805/foo?flow=registration> # sets via SELFSERVICE_FLOWS_REGISTRATION_AFTER_HOOKS_0_CONFIG_URL
method: "POST"
body: file:///app/hook.segment_identify.jsonnet
response:
parse: true
password:
hooks:
- hook: show_verification_ui
oidc:
hooks:
- hook: show_verification_ui