I'm working on integrating OneLogin with our app to offer SSO to our customers. We would like to use the OpenID Connect flow.
I created a OneLogin account, then followed the instructions from https://developers.onelogin.com/openid-connect/connect-to-onelogin and I am now able to trigger the OpenID Connect implicit flow and get an id_token from OneLogin that I can use to authenticate the user to our app.
The concern here is that when I created my OneLogin account, I did not have to verify my email address, and the id_token issued by OneLogin do not include any "email_verified" claim. Isn't that a security issue where I could pretend to own any email address?
Please sign in to leave a comment.