fix: Improve OIDC email verified check

The OIDC email verified check now fails if the email is explicitly
unverified, or if the `email_verified` claim is supported and the email
is not explicitly verified.

Previously, the OIDC implementation failed for any OIDC provider that
did not include the `email_verified` claim in the userinfo response.
Providers like Synology do not include this claim, so the check always
failed with error "Email is not verified."

I haven't found a formal specification for the `email_verified` claim,
and how it should be handled, but this implementation should be more
robust and work with more OIDC providers.

Fixes #1446.

backend/handler/auth/base_handler.py

@@ -3,6 +3,7 @@
 from typing import Any
 
 from config import OIDC_ENABLED, ROMM_AUTH_SECRET_KEY
+from decorators.auth import oauth
 from exceptions.auth_exceptions import OAuthCredentialsException, UserDisabledException
 from fastapi import HTTPException, status
 from handler.auth.constants import ALGORITHM, DEFAULT_OAUTH_TOKEN_EXPIRY
@@ -125,7 +126,18 @@ async def get_current_active_user_from_openid_token(self, token: Any):
                 status_code=status.HTTP_400_BAD_REQUEST,
                 detail="Email is missing from token.",
             )
-        if userinfo.get("email_verified", None) is not True:
+
+        metadata = await oauth.openid.load_server_metadata()
+        claims_supported = metadata.get("claims_supported")
+        is_email_verified = userinfo.get("email_verified", None)
+
+        # Fail if email is explicitly unverified, or `email_verified` is a supported claim and
+        # email is not explicitly verified.
+        if is_email_verified is False or (
+            claims_supported
+            and "email_verified" in claims_supported
+            and is_email_verified is not True
+        ):
             log.error("Email is not verified.")
             raise HTTPException(
                 status_code=status.HTTP_400_BAD_REQUEST,