OpenID Connect with Microsoft

Ask for Help
1

I have challenges integrating OIDC with Microsoft. Here is the error I get

CleanShot 2025-12-12 at 12.42.41@2x
CleanShot 2025-12-12 at 12.42.41@2x1106×752 25.4 KB

Below are my configs:

#Microsoft OIDC
      GRIST_OIDC_SP_HOST: https://grist.xxxxxx.yy
      GRIST_OIDC_IDP_ISSUER: https://login.microsoftonline.com/xxxxxxxxxx/v2.0/.well-known/openid-configuration
      GRIST_OIDC_IDP_SCOPES: "openid profile email User.Read"
      GRIST_OIDC_IDP_CLIENT_ID: xxxxxxxxx
      GRIST_OIDC_IDP_CLIENT_SECRET: xxxxxxxxxxx
      GRIST_OIDC_SP_PROFILE_NAME_ATTR: name
      GRIST_OIDC_SP_PROFILE_EMAIL_ATTR: email,preferred_username

Any assistance is much appreciated.

2

Hi @Vince_M , that error message suggests that the identity provider has an account for your email address, but has it marked as unverified (for example, that a link or code in a verification email sent to that address wasn’t acted on). This could be real or a misconfiguration of some kind. In OIDC - Grist Help Center I see a GRIST_OIDC_SP_IGNORE_EMAIL_VERIFIED setting if you are confident this status should be ignored in your case.

3

Hi @paul-grist ,

If I add that env variable suggested, login succeeds but email field is undefined

I have decoded the jwt id token (using similar flow in a different app) and it shows the following, real values redacted.

Since email, preferred_username, upn are all available in the token, I fail to understand where the real issue will be.

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "REDACTED_KEY_ID"
}.
{
  "aud": "REDACTED_CLIENT_ID",
  "iss": "https://login.microsoftonline.com/REDACTED_TENANT_ID/v2.0",
  "iat": 1765558591,
  "nbf": 1765558591,
  "exp": 1765562491,
  "aio": "REDACTED_AIO",
  "email": "REDACTED_EMAIL",//email is available
  "name": "REDACTED_NAME", // name is available
  "oid": "REDACTED_OBJECT_ID",
  "preferred_username": "REDACTED_EMAIL", // is available
  "rh": "REDACTED_RH",
  "sid": "REDACTED_SESSION_ID",
  "sub": "REDACTED_SUBJECT_ID",
  "tid": "REDACTED_TENANT_ID",
  "upn": "REDACTED_EMAIL", // upn is available
  "uti": "REDACTED_UTI",
  "ver": "2.0"
}
.[Signature]

Below is the optional claims settings in Azure

CleanShot 2025-12-12 at 20.54.02@2x
CleanShot 2025-12-12 at 20.54.02@2x2302×538 41.2 KB

4

Microsoft → Does NOT Send email_verified

Instead, claim available:

"verified_primary_email": [
"xxxxxx@xxxxx.yy"
]

Hope this exception can be updated, and hopefully Do NOT require the email_verified claim

5

@Vince_M you could report your findings as an issue on GitHub - gristlabs/grist-core: Grist is the evolution of spreadsheets. where the maintainer of the OIDC connection (fflorent on github) is more likely to see.

1 Like