Meaning of user email verified attribute and how to access it with gitkitclient

Robert Hoffmann

unread,

Jul 20, 2015, 4:33:31 AM7/20/15

to google-iden...@googlegroups.com

Hi,

It says on https://developers.google.com/identity/toolkit/web/required-endpoints

...that there is a "verified" attribute regarding the verification state of a user's email.

Does this mean that there can be doubt if the email provided through gitkit is under control by the user (aka verified) or not?

What is the meaning of this flag and how could I access it with the Java gitkitclient (vs 1.2.3)?

Thank you - R

Derek Salama

unread,

Jul 20, 2015, 12:25:33 PM7/20/15

to google-iden...@googlegroups.com, robert.ho...@gmail.com

Hi Robert,

Identity Toolkit does not force email verification as part of the registration flow, so we mark the email as unverified and allow the application to enforce it as appropriate. In the case where the user signs in with their email provider (e.g. Yahoo, or Google for gmail accounts), then it will automatically be verified.

If you wish to enforce validation at registration time, then you can check the verification state at the sign-in success URL and send the email as appropriate. Per the issues you've filed on the Github repo, some of this functionality is missing from our Java library, so we will add that shortly.

In the future, please post questions like this on Stack Overflow with the tag "google-identity-toolkit".

Thanks,

Derek

Dennis Lee

unread,

Oct 5, 2015, 1:11:36 PM10/5/15

to Google Identity Toolkit, robert.ho...@gmail.com

Hi Derek,

Following the response you provided above, wanted to ask if there is any sample code for enforcing validation at registration time -- specifically, which functions should I be focused on primarily?

Also, I've implemented the change of email function and noticed that even after the user verifies his/her new email address and the change of address is complete, the 'email_verified' attribute continues to be False... although I assume this is the same as the standalone email verification process

Appreciate your help!

Thanks,

Dennis

Jin Liu

unread,

Oct 5, 2015, 1:52:23 PM10/5/15

to Google Identity Toolkit, robert.ho...@gmail.com

Hi Dennis,

A new method, GetEmailVerificationLink(), has been added to the Identity Toolkit client libraries (Java, and others). In your server when you find the 'verified' flag is false for the incoming user, you can call this method to get the verification url, and send the user an email containing the url. Once the user clicks the url, the Identity Toolkit javascript widget will take care of the remaining UI and redirect the browser to the signInSuccessUrl with a new Identity Toolkit IdToken.

You are right that after the email change flow is complete, the 'email_verified' flag in the IdToken should be true. It is a bug from our side, and the fix will be live next week.