Using SSO to sign up for an account bypasses some of the information that needs to be filled out

[MomentQYC]

Description

For example, assuming that the server is set up to require an email address to register in order to avoid spam as much as possible, when I use GitHub OAuth for authorization to sign up for an account, I can sign up for an account without filling in my email address.

Steps to reproduce

• Set Synapse to have to verify email address to register
• Setting up to allow third-party authorization registration, such as GitHub OAuth
• Sign up for an account using GitHub OAuth without verifying your email address

Homeserver

Matrix.org can reproduce this situation

Synapse Version

Synapse 1.91.1

Installation Method

Debian packages from packages.matrix.org

Database

IDK

Workers

I don't know

Platform

Matrix.org

Configuration

IDK

Relevant log output

IDK

Anything else that would be useful to know?

No response

[clokep]

From discussion with others it seems that in this case you're depending on the SSO provider to handle anti-spam for you, i.e. this is done on purpose.

[clokep]

It does sound like some SSO providers include whether the email was verified though, so you could possibly use the attribute_requirements for the provider to ensure that it is validated before allowing the login.

[MomentQYC]

It does sound like some SSO providers include whether the email was verified though, so you could possibly use the attribute_requirements for the provider to ensure that it is validated before allowing the login.

There are some providers that will not provide email information, so for these people should you go through an additional email verification process?

[clokep]

so for these people should you go through an additional email verification process?

This would probably depend on what the operator of the server wanted -- whether they trust the provider to have enough spam protections in place to avoid spammy accounts or not.

It sounds like this isn't possible today though since you can't layer SSO and then email on-top.

@sandhose mentioned to me that this will be possible using the matrix-authentication-service though.