FIX: Accept strings for the email_verified token

This is technically a spec violation, but many providers do this so we should check for the string 'true'

lib/openid_connect_authenticator.rb

@@ -19,7 +19,12 @@ class OpenIDConnectAuthenticator < Auth::ManagedAuthenticator
   def primary_email_verified?(auth)
     supplied_verified_boolean = auth['extra']['raw_info']['email_verified']
     # If the payload includes the email_verified boolean, use it. Otherwise assume true
-    supplied_verified_boolean.nil? ? true : supplied_verified_boolean
+    if supplied_verified_boolean.nil?
+      true
+    else
+      # Many providers violate the spec, and send this as a string rather than a boolean
+      supplied_verified_boolean == true || supplied_verified_boolean == 'true'
+    end
   end
 
   def always_update_user_email?

spec/lib/openid_connect_authenticator_spec.rb

@@ -37,6 +37,12 @@ describe OpenIDConnectAuthenticator do
       result = authenticator.after_authenticate(hash)
       expect(result.user).to eq(user)
     end
+
+    it 'matches the user as a true string' do
+      hash[:extra][:raw_info][:email_verified] = 'true'
+      result = authenticator.after_authenticate(hash)
+      expect(result.user).to eq(user)
+    end
   end
 
   context "when email_verified is false" do
@@ -45,6 +51,12 @@ describe OpenIDConnectAuthenticator do
       result = authenticator.after_authenticate(hash)
       expect(result.user).to eq(nil)
     end
+
+    it 'does not match the user as a false string' do
+      hash[:extra][:raw_info][:email_verified] = 'false'
+      result = authenticator.after_authenticate(hash)
+      expect(result.user).to eq(nil)
+    end
   end
 
 end