Authentik is a powerful identity provider โ but when you use it with WordPress via the miniOrange OAuth/OpenID Connect (OIDC) plugin, you can hit a couple of common issues:
Missing Email VerificationUsername not received- Authentik sending
"email_verified": false
This guide walks through the exact steps to make Authentik talk cleanly to WordPress with the miniOrange plugin.
๐ฆ Background: What WordPress & miniOrange Expect
The WordPress OAuth/OIDC workflow expects certain claims in the ID token:
| Claim | Required? | Expected Format |
|---|---|---|
email | โ | true email |
email_verified | โ | boolean (not string) |
preferred_username or username | โ | string |
Authentik defaults email_verified to false for safety, because it doesnโt assume verification is real unless you explicitly confirm it.
Many apps (including WordPress plugins) consider an unverified email to be untrustworthy โ and wonโt create or authorize users if the claim is false.
โ Step 1 โ Create a Custom Scope Mapping for Email
Authentikโs default email scope sets:
"email_verified": False
We need to flip that.
In Authentik:
๐น Go to:
Customizations โ Property Mappings โ Create
๐ Choose Scope Mapping
Fill the form:
Save.
This mapping ensures the email_verified claim is always sent back as a real boolean, which WordPress expects.
โ Step 2 โ Update the WordPress OIDC Provider
Now that you have a custom email mapping:
- Go to:
Applications โ Providers โ (your WordPress provider)
- Click Edit
- Expand Advanced Protocol Settings
- In Scopes, update like so:
- Update the provider
โ Step 3 โ Verify Your Claims
The ID token now needs to contain:
{
"email": "user@example.com",
"email_verified": true,
"preferred_username": "user@example.com"
}
If you’re unsure what is being returned:
- Log into Authentik Admin
- Navigate to the Events view
- Look for the token issuance event
- Decode the JWT (e.g. via jwt.io)
You can also enable token preview in the provider screens.
โ Step 4 โ Ensure WordPress Gets a Username
If WordPress reports:
Username not received. Check your Attribute Mapping configuration.
Then make sure the profile scope is included in the provider:
โ openid
โ profile
โ your new email mapping
The profile scope (the default mapping) ensures you will get:
preferred_usernamename- other user profile claims
miniOrange needs username-like claims to create accounts.
๐ก WordPress miniOrange Plugin SETTINGS
In the miniOrange plugin settings in WordPress:
OIDC / OAuth Configuration:
- Client ID and Client Secret: supplied from Authentik provider
- Redirect URL: must match Authentikโs configured redirect
- Scopes:
openid profile email - User Attribute Mapping:
- Username โ
preferred_username - Email โ
email
- Username โ
This mapping works with the claims weโre sending.
โ Test the Flow
- Open a new private browser window
- Start the login from WordPress
- You should be redirected to Authentik
- After login, WordPress should:
- Accept the callback
- Create the user if new
- Log in the user automatically
๐ฏ Why the email_verified Change Matters
As documented in the Authentik 2025.10 release, the default mapping now deliberately sends:
"email_verified": false
Thatโs a security decision โ but many apps block account creation if email isnโt verified.
By creating a custom scope mapping that returns true, you signal to WordPress that this email can be trusted.
If you want a conditional version (only true if Authentik truly verified the email via a flow), you can expand the mapping:
return {
"email": request.user.email,
"email_verified": bool(request.user.attributes.get("email_verified", False))
}
๐ง Summary Checklist
โ Create Scope Mapping for email with email_verified: True
โ Replace the default email mapping in your provider
โ Ensure openid and profile scopes are selected
โ Map preferred_username โ Username in miniOrange
โ Test login in private window
๐ References
- miniOrange error codes & fixes:
https://faq.miniorange.com/knowledgebase/fix-wpo01-wpo02-wpo04-admin-sso-login-errors/ - Authentik default OAuth scope changes (2025.10)
Leave a Reply