https://www.ory.sh/ logo
Join Slack
Powered by
We're seeing unexpected behaviour where if you reg...
# talk-kratos
r
We're seeing unexpected behaviour where if you register with an email address (identifier) containing uppercase letters you have to re-verify your email after linking an OIDC provider. Would anyone have insight into why this might be happening? More info in the thread.
1. Register with an email containing uppercase characters
Copy code
traits:
  email: <mailto:Donatas.tubutis@lighthouselabs.ca|Donatas.tubutis@lighthouselabs.ca>
  first_name: D
  last_name: T
  phone: "123"
verifiable_addresses:
  id: cf8f5ea4-31d1-45cf-a475-89f3971d65d2
  value: <mailto:donatas.tubutis@lighthouselabs.ca|donatas.tubutis@lighthouselabs.ca>
  verified: false
  via: email
2. Verify email
Copy code
verifiable_addresses:
  id: cf8f5ea4-31d1-45cf-a475-89f3971d65d2
  value: <mailto:donatas.tubutis@lighthouselabs.ca|donatas.tubutis@lighthouselabs.ca>
  verified: true
  via: email
3. Link GitHub in account settings (identity gets a new verifiable address id, even though the email address is the same)
Copy code
verifiable_addresses:
  id: 6bbd1752-92b8-405b-b0e5-374e8f3365ed
  value: <mailto:donatas.tubutis@lighthouselabs.ca|donatas.tubutis@lighthouselabs.ca>
  verified: false
  via: email
I'd think perhaps OIDC data mapping of the 
email
field adds a new verifiable address, we've checked by linking a GitHub account associated with a different email address and it does not overwrite any of the email values in the identity data. but AFAIK jsonnet data mapping is performed only during registration. Linking a GitHub account with a different email address than the one used during initial registration also causes the same output (the email address registered with has to be reverified).
Identity schema
Copy code
{
  "$id": "<https://schemas.ory.sh/presets/kratos/identity.email.schema.json>",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "<http://ory.sh/kratos|ory.sh/kratos>": {
            "credentials": {
              "password": {
                "identifier": true
              },
              "webauthn": {
                "identifier": true
              },
              "totp": {
                "account_name": true
              }
            },
            "recovery": {
              "via": "email"
            },
            "verification": {
              "via": "email"
            }
          },
          "maxLength": 320
        },
        "first_name": {
          "type": "string",
          "title": "First Name",
          "maxLength": 320
        },
        "last_name": {
          "type": "string",
          "title": "Last Name",
          "maxLength": 320
        },
        "phone": {
          "title": "Phone",
          "type": "string"
        }
      },
      "required": [
        "email",
        "first_name",
        "last_name",
        "phone"
      ],
      "additionalProperties": false
    }
  }
}
OIDC data mapping:
Copy code
local claims = {
  email_verified: false,
} + std.extVar('claims');
{
  identity: {
    traits: {
      [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,
    },
  },
}
h
ory network or ory kratos?
r
Ory Network
h
Thank you! That means that the problem is currently on master. Would it be possible to create an issue in github.com/ory/network describing your issue (and potentially how to reproduce it) and also how problematic it is for you (priorit)? That would be mega helpful
r
Of course, I will! Sorry for not doing that right way, taking shortcuts due to other time pressures 🙂
h
No problem! 🙂
Open in Slack
PreviousNext
Powered by