Problem

(Context: see #3954)

Coder will check for the email_verified OIDC claim if it is provided, and block sign-in if the user's email is not verified.
Users with unverified emails atttempting to login will get a message similar to

{"message":"Verify the \"user@acme.corp\" email address on your OIDC provider to authenticate!"}

From the Auth0 docs:

https://auth0.com/docs/manage-users/user-accounts/user-profiles/verified-email-usage

In case of federated identity providers, they sometimes report if the user has a verified email, and based on that, Auth0 sets the email_verified field in the user profile. This, however, transfers the responsibility to the identity provider to do it properly - something we can't ensure. We also don't know if the verified email from that provider is still owned by the user.

When users authenticate with a federated identity provider (e.g. a social or enterprise connection), the value of the email_verified field will match what the identity provider returns in the user profile. If they identity provider does not return any value, it will be set to false.

This means that certain IdPs through Auth0 (for example, AzureAD) are essentially unusable with Coder currently -- if the IdP does not return the email_verified claim, Auth0 will default it to false and Coder will block sign-in.

Solution

Add a command-line flag / environment variable CODER_OIDC_IGNORE_EMAIL_VERIFIED.
This will default to false. If it is set to true, skip the code path to check the email_verified claim:

https://github.com/coder/coder/blob/4b3d211e004ec5e4a3b30f98ca3c3e8ec687168a/coderd/userauth.go#L251-260

This will essentially assume that all emails are verified.