[Bug] `email_verified_required` configuration not working

[ElyasAsmad]

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

email_verified_required configuration did not block users with unverified email from connecting to tailnet. Additionally, headscale registers the user without email (refer picture).

Expected Behavior

Any users with email_verified: false from the OIDC claim should get the unverified email response from headscale, even though group claim is exist and valid in their OIDC claim. Additionally, headscale should not register the user with unverified email at all, not continuing the registration process without email.

Steps To Reproduce

1. Create a new user in your OIDC provider. For example, I created a new user with fake@email.com in Auth0.
2. Assign a valid group for the user in your OIDC provider. In my example, I assigned deta-tech-hq group.
3. Configure headscale with email_verified_required: true and add deta-tech-hq to allowed_groups configuration.
4. Now, try to login with Tailscale with the newly created user.
5. User with unverified email can access the Tailnet and its resources.

Environment

- OS: Ubuntu 25.04
- Headscale version: 84c092a9f987+dirty (commit: 84c092a9f9875ed274aa40c9c14ebbcb05166f43)
- Tailscale version: 1.88.3

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Debug information

ts-netmap-20260111205945.json

ts-status-20260111210208.json

headscale-logs.txt

headscale-config.yml

[ElyasAsmad]

I will submit a follow-up PR to fix this bug and improve the code