feat: Enable parsing email_verified from string.#139
Merged
livio-a merged 2 commits intozitadel:mainfrom Nov 2, 2021
Merged
Conversation
AWS Cognito will return email_verified from /userinfo endpoint as string. This fix will accept proper boolean values as well as string values. Links for reference: https://forums.aws.amazon.com/thread.jspa?messageID=949441󧳁 https://discuss.elastic.co/t/openid-error-after-authenticating-against-aws-cognito/206018/11
jozuenoon
changed the title
Codecov Report
@@ Coverage Diff @@
## main #139 +/- ##
==========================================
+ Coverage 11.99% 12.15% +0.16%
==========================================
Files 42 42
Lines 2702 2707 +5
==========================================
+ Hits 324 329 +5
Misses 2367 2367
Partials 11 11
Continue to review full report at Codecov.
|
livio-a
approved these changes
Nov 2, 2021
|
🎉 This PR is included in version 0.16.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
13 tasks
muhlemmer
pushed a commit
that referenced
this pull request
Jan 12, 2026
…ant OIDC providers (#791) AWS Cognito (and potentially other providers) return `email_verified` and `phone_number_verified` as strings (`"true"`/`"false"`) instead of proper JSON booleans, violating the [OIDC specification](https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims). AWS Documentation confirms this: > Currently, Amazon Cognito returns the values for email_verified and phone_number_verified as strings. _Source: https://docs.aws.amazon.com/cognito/latest/developerguide/userinfo-endpoint.html#get-userinfo-response-sample_ ### The Problem The `zitadel/oidc` library currently handles this inconsistently: - ✅ `EmailVerified` uses the custom `Bool` type (added in #139) - ❌ `PhoneNumberVerified` uses Go's standard `bool` This forces developers to handle semantically identical fields differently: ```go // Currently inconsistent code path userInfo.EmailVerified = oidc.Bool(emailValue) // Cast userInfo.PhoneNumberVerified = phoneValue // No cast ``` Additionally, the existing `Bool.UnmarshalJSON` implementation meant that false values couldn't overwrite true. ### Solution Applied `Bool` type consistently to both fields and simplified `Bool.UnmarshalJSON` using a direct switch statement to: - Handle standard JSON booleans (true/false) - Handle AWS Cognito string format ("true"/"false") - Return errors on invalid input instead of silently failing - Allow false to overwrite true Updated tests to match codebase conventions, as well. ### Impact `PhoneNumberVerified` changes from `bool` to `Bool` (type alias of `bool`). Most consumer code should work as-is since `Bool` is just a type alias. Direct type assertions would need updating. ### Definition of Ready - [X] I am happy with the code - [X] Short description of the feature/issue is added in the pr description - [ ] PR is linked to the corresponding user story - [X] Acceptance criteria are met - [ ] All open todos and follow ups are defined in a new ticket and justified - [ ] Deviations from the acceptance criteria and design are agreed with the PO and documented. - [X] No debug or dead code - [X] My code has no repetitions - [X] Critical parts are tested automatically - [x] Where possible E2E tests are implemented - [X] Documentation/examples are up-to-date - [ ] All non-functional requirements are met - [x] Functionality of the acceptance criteria is checked manually on the dev system. Co-authored-by: Wim Van Laer <wim07101993@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AWS Cognito will return email_verified from /userinfo endpoint as string.
This fix will accept proper boolean values as well as string values.
Links for reference:
https://forums.aws.amazon.com/thread.jspa?messageID=949441󧳁
https://discuss.elastic.co/t/openid-error-after-authenticating-against-aws-cognito/206018/11