Comment by cxcorp
4 months ago
This is very important to keep in mind when implementing OAuth authentication! Not every SSO provider is the same. Even if the SSO provider tells you that the user's email is X, they might not even have confirmed that email address! Don't trust it and confirm the email yourself!
And remember to add a random unique id to the reply-to email, otherwise you’ve fallen into the same trap.