verifiedEmail verus email

[Mike Mansell]

So, I'm unsure of what causes the verifyAssertion REST API to return a verifiedEmail as opposed to an email. I've tried three different test accounts. All of them are registered Google accounts. However, only one of the them is a true GMail account (the others are accounts that I provided a non-gmail email address. However, I did click on the verification emails that Google sent, so they are 'verified'). Only the GMail account returns a verifiedEmail field in the JSON response. The others return an email field.

I can guess that verifiedEmail means that it's a GMail account, but since I verified the other emails, that doesn't seem totally logical.

If my guess is correct, then can I also use the presence of the 'email' to indicate that this is a verified google account, just not a GMail account?

Any insight would be appreciated. 

[Jin Liu]

What you observed is the expected behavior of GITkit. 'verifiedEmail'
in the verifyAssertion API response means the email service provider
is the same as the identity provider.

When the asserted email address is on a domain that the identity
provider does NOT control, relying parties will have to handle some
very tricky cases. Please refer to Google's RP Best Practices at
https://sites.google.com/site/oauthgoog/UXFedLogin/loginlogic for more
information.

Feel free to ask if you have any further questions.

Jin