No email or email_verified claim in Google ID token

Question

Our app allows users to sign in with Google account and uses Google API client library for ID token validation.

According to the Google doc, email claim is supposed to be contained in the ID token payload when the scope includes the email scope value.

However, I noticed in some cases, email or email_verifiedclaim is missing from the ID token payload though the email scope value is included.

Why is this happening? I suppose a Google account always has a verified email address on the profile.

score 0 · Answer 1 · answered Jun 23 '20 at 07:08

I asked the team about this very question several years ago. They do not guarantee that the claims will come with every call.

The work around is

If you make a request to the userinfoendpoint

GET /oauth2/v2/userinfo HTTP/1.1
Host: www.googleapis.com
Content-length: 0
Authorization: Bearer [accessToken]

Response

{
  "picture": "https://lh3.googleusercontent.com/a-/AOh14GhroCYJp2P9xeYeYk1npchBPK-zbtTxzNQo0WAHI20", 
  "verified_email": true, 
  "id": "11720047553267277534", 
  "email": "xxxxxxx@gmail.com"
}

Assuming you have requested the email scope email and verified_email will return every time.

score 0 · Answer 2 · edited Jun 26 '20 at 12:55

0

GET /oauth2/v2/userinfo HTTP/1.1
Host: www.googleapis.com
Content-length: 0
Authorization: Bearer [accessToken]

{
  "picture": "https://lh3.googleusercontent.com/a-/AOh14GhroCYJp2P9xeYeYk1npchBPK-zbtTxzNQo0WAHI20", 
  "verified_email": true, 
  "id": "11720047553267277534", 
  "email": "xxxxxxx@gmail.com"
}

edited Jun 26 '20 at 12:55

Rishit Dagli

1,000
8
20

answered Jun 26 '20 at 01:19

Arfairulazril

1

No email or email_verified claim in Google ID token

2 Answers2