Logging into Quay via OIDC fails with the verified email claim error

Solution Verified - Updated -

Issue

  • Logging into Quay via OIDC when Azure is used as the OIDC provider fails with the following message:

    "A verified email address is required to login with this service."

    along with the following exception visible in Quay logs:

    gunicorn-web stdout | 2024-05-22 15:17:19,194 [220] [DEBUG] [oauth.login_utils] Found e-mail address `None` for sub `SOME_SUB`
gunicorn-web stdout | 2024-05-22 15:17:19,194 [220] [ERROR] [endpoints.oauth.login] Got login exception
gunicorn-web stdout | Traceback (most recent call last):
gunicorn-web stdout |   File "/quay-registry/endpoints/oauth/login.py", line 121, in callback_func
gunicorn-web stdout |     lid, lusername, lemail, additional_info = login_service.exchange_code_for_login(
gunicorn-web stdout |   File "/quay-registry/oauth/oidc.py", line 195, in exchange_code_for_login
gunicorn-web stdout |     return get_sub_username_email_from_token(
gunicorn-web stdout |   File "/quay-registry/oauth/login_utils.py", line 93, in get_sub_username_email_from_token
gunicorn-web stdout |     raise OAuthLoginException(
gunicorn-web stdout | oauth.login.OAuthLoginException: A verified email address is required to login with this service

Environment

  • Red Hat Quay
    • 3.11.0
  • Microsoft Entra ID (Azure) configured as an OIDC provider
  • FEATURE_MAILING is enabled in Quay configuration

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content