From 4c2eb2af734504492e047549ab7576a7ee71b50d Mon Sep 17 00:00:00 2001
From: Misha Bragin <bangvalo@gmail.com>
Date: Fri, 16 Jan 2026 16:01:39 +0100
Subject: [PATCH] [management] Skip email_verified if not present (#5118)

---
 idp/dex/provider.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/idp/dex/provider.go b/idp/dex/provider.go
index 6a4fe7873..6625d9eaf 100644
--- a/idp/dex/provider.go
+++ b/idp/dex/provider.go
@@ -798,15 +798,15 @@ func buildOIDCConnectorConfig(cfg *ConnectorConfig, redirectURI string) ([]byte,
 		"redirectURI":          redirectURI,
 		"scopes":               []string{"openid", "profile", "email"},
 		"insecureEnableGroups": true,
+		//some providers don't return email verified, so we need to skip it if not present (e.g., Entra, Okta, Duo)
+		"insecureSkipEmailVerified": true,
 	}
 	switch cfg.Type {
 	case "zitadel":
 		oidcConfig["getUserInfo"] = true
 	case "entra":
-		oidcConfig["insecureSkipEmailVerified"] = true
 		oidcConfig["claimMapping"] = map[string]string{"email": "preferred_username"}
 	case "okta":
-		oidcConfig["insecureSkipEmailVerified"] = true
 		oidcConfig["scopes"] = []string{"openid", "profile", "email", "groups"}
 	case "pocketid":
 		oidcConfig["scopes"] = []string{"openid", "profile", "email", "groups"}