Authentik is a powerful identity provider β but when you use it with WordPress via the miniOrange OAuth/OpenID Connect (OIDC) plugin, you can hit a couple of common issues:
Missing Email VerificationUsername not received- Authentik sending
"email_verified": false
This guide walks through the exact steps to make Authentik talk cleanly to WordPress with the miniOrange plugin.
π¦ Background: What WordPress & miniOrange Expect
The WordPress OAuth/OIDC workflow expects certain claims in the ID token:
| Claim | Required? | Expected Format |
|---|---|---|
email | β | true email |
email_verified | β | boolean (not string) |
preferred_username or username | β | string |
Authentik defaults email_verified to false for safety, because it doesnβt assume verification is real unless you explicitly confirm it.
Many apps (including WordPress plugins) consider an unverified email to be untrustworthy β and wonβt create or authorize users if the claim is false.
β Step 1 β Create a Custom Scope Mapping for Email
Authentikβs default email scope sets:
"email_verified": False
We need to flip that.
In Authentik:
πΉ Go to:
Customizations β Property Mappings β Create
π Choose Scope Mapping
Fill the form:
Save.
This mapping ensures the email_verified claim is always sent back as a real boolean, which WordPress expects.
β Step 2 β Update the WordPress OIDC Provider
Now that you have a custom email mapping:
- Go to:
Applications β Providers β (your WordPress provider)
- Click Edit
- Expand Advanced Protocol Settings
- In Scopes, update like so:
- Update the provider
β Step 3 β Verify Your Claims
The ID token now needs to contain:
{
"email": "user@example.com",
"email_verified": true,
"preferred_username": "user@example.com"
}
If you’re unsure what is being returned:
- Log into Authentik Admin
- Navigate to the Events view
- Look for the token issuance event
- Decode the JWT (e.g. via jwt.io)
You can also enable token preview in the provider screens.
β Step 4 β Ensure WordPress Gets a Username
If WordPress reports:
Username not received. Check your Attribute Mapping configuration.
Then make sure the profile scope is included in the provider:
β openid
β profile
β your new email mapping
The profile scope (the default mapping) ensures you will get:
preferred_usernamename- other user profile claims
miniOrange needs username-like claims to create accounts.
π‘ WordPress miniOrange Plugin SETTINGS
In the miniOrange plugin settings in WordPress:
OIDC / OAuth Configuration:
- Client ID and Client Secret: supplied from Authentik provider
- Redirect URL: must match Authentikβs configured redirect
- Scopes:
openid profile email - User Attribute Mapping:
- Username β
preferred_username - Email β
email
- Username β
This mapping works with the claims weβre sending.
β Test the Flow
- Open a new private browser window
- Start the login from WordPress
- You should be redirected to Authentik
- After login, WordPress should:
- Accept the callback
- Create the user if new
- Log in the user automatically
π― Why the email_verified Change Matters
As documented in the Authentik 2025.10 release, the default mapping now deliberately sends:
"email_verified": false
Thatβs a security decision β but many apps block account creation if email isnβt verified.
By creating a custom scope mapping that returns true, you signal to WordPress that this email can be trusted.
If you want a conditional version (only true if Authentik truly verified the email via a flow), you can expand the mapping:
return {
"email": request.user.email,
"email_verified": bool(request.user.attributes.get("email_verified", False))
}
π§ Summary Checklist
β Create Scope Mapping for email with email_verified: True
β Replace the default email mapping in your provider
β Ensure openid and profile scopes are selected
β Map preferred_username β Username in miniOrange
β Test login in private window
π References
- miniOrange error codes & fixes:
https://faq.miniorange.com/knowledgebase/fix-wpo01-wpo02-wpo04-admin-sso-login-errors/ - Authentik default OAuth scope changes (2025.10)
Leave a Reply