pg0fr (pg0fr) asked a question.
How to get the original email entered when using identity provider?
Imagine I've got a Google IdP that my user is authenticating with. My basic process with Okta goes thus:
- User enters their email, using a plus address (e.g. "example+login@gmail.com")
- We get Okta's login url using /v1/authorize (with response_type = "code")
- We redirect to Okta's login url, which redirects to Google, and the user authenticates with them.
- Okta sends us a callback with a token
The issue is that the token doesn't have the plus addressing in it - now it's "example@gmail.com". This confuses our system a bit because we're expecting to get back the same email as was originally entered - when we later try to query Okta for the user, we use "example+login@gmail.com" and the user can't be found (because it was federated as "example@gmail.com").
Is there a way to get back the original login email with the token? Or some better way to associate one user with multiple possible emails?
Do you mean the email in Google is not same in Okta for same User?
The email the user provided uses plus addressing - essentially an alias. "example+login@gmail.com" is the same inbox as "example@gmail.com".
The problem is that I only see "example@gmail.com" in Okta, not the plus addressed version.
is it Google workspace or social Google idp?
Google Workspace.