Skip to content

fix(auth-server): Add email claims to ID Token for compatibility #19938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sreecharan-desu wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(auth-server): Add email claims to ID Token for compatibility #19938

sreecharan-desu wants to merge 1 commit into from
+31 −0

Conversation

@sreecharan-desu
Copy link

@sreecharan-desu sreecharan-desu commented Jan 24, 2026
edited
Loading

Mozilla Connect requires email and email_verified claims in the ID Token to authenticate (it throws a 401 otherwise).

I updated grant.js to explicitly include these claims in the id_token payload when the email or profile scope is requested.

Fixes #18854

Because

Khoros (Mozilla Connect) expects these claims to verify identity. Without them, login fails.

This pull request

  • Updates generateIdToken in packages/fxa-auth-server/lib/oauth/grant.js to include email and email_verified in the token if we have the right scopes.
  • Adds unit tests to packages/fxa-auth-server/test/oauth/grant.js to verify the claims are added correctly and restricted to the proper scopes.

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).

@sreecharan-desu sreecharan-desu requested a review from a team as a code owner January 24, 2026 03:56
@sreecharan-desu
fix(auth-server): Add email claims to ID Token for compatibility
97bbaf1 
Mozilla Connect (and potentially other SPs) requires email and email_verified claims in the ID Token to successfully authenticate users. This change ensures these claims are included when the email or profile scope is requested.

This also adds unit tests to verify the claims are only included when appropriate scopes are authorized.

Closes: mozilla#18854
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Mozilla connect logins failing with 401

1 participant

@sreecharan-desu