From 32de8ed04a2446bb4e86f42cda591dc81d5247e8 Mon Sep 17 00:00:00 2001
From: Gani Georgiev <gani.georgiev@gmail.com>
Date: Sat, 29 Mar 2025 09:28:31 +0200
Subject: [PATCH] [#6657] allow OIDC email_verified to be int or boolean string

---
 CHANGELOG.md       | 5 +++++
 CHANGELOG_16_22.md | 5 +++++
 tools/auth/oidc.go | 4 ++--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3c678a0c..14e70171 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,8 @@
+## v0.26.6
+
+- Allow OIDC `email_verified` to be int or boolean string since some OIDC providers like AWS Cognito has non-standard userinfo response ([#6657](https://github.com/pocketbase/pocketbase/pull/6657)).
+
+
 ## v0.26.5
 
 - Fixed canonical URI parts escaping when generating the S3 request signature ([#6654](https://github.com/pocketbase/pocketbase/issues/6654)).
diff --git a/CHANGELOG_16_22.md b/CHANGELOG_16_22.md
index 529e7d1b..1d591872 100644
--- a/CHANGELOG_16_22.md
+++ b/CHANGELOG_16_22.md
@@ -2,6 +2,11 @@
 > For the most recent versions, please refer to [CHANGELOG.md](./CHANGELOG.md)
 ---
 
+## v0.22.34
+
+- (_Backported from v0.26.6_) Allow OIDC `email_verified` to be int or boolean string since some OIDC providers like AWS Cognito has non-standard userinfo response ([#6657](https://github.com/pocketbase/pocketbase/pull/6657)).
+
+
 ## v0.22.33
 
 - (_Backported from v0.26.3_) Fixed and normalized logs error serialization across common types for more consistent logs error output ([#6631](https://github.com/pocketbase/pocketbase/issues/6631)).
diff --git a/tools/auth/oidc.go b/tools/auth/oidc.go
index ddef97b4..81529ad6 100644
--- a/tools/auth/oidc.go
+++ b/tools/auth/oidc.go
@@ -92,7 +92,7 @@ func (p *OIDC) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
 		Username      string `json:"preferred_username"`
 		Picture       string `json:"picture"`
 		Email         string `json:"email"`
-		EmailVerified bool   `json:"email_verified"`
+		EmailVerified any    `json:"email_verified"` // see #6657
 	}{}
 	if err := json.Unmarshal(data, &extracted); err != nil {
 		return nil, err
@@ -110,7 +110,7 @@ func (p *OIDC) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
 
 	user.Expiry, _ = types.ParseDateTime(token.Expiry)
 
-	if extracted.EmailVerified {
+	if cast.ToBool(extracted.EmailVerified) {
 		user.Email = extracted.Email
 	}