feat: Add support for skipping the email_verified claim on email issuer types

[mogthesprog]

Summary

This PR adds support for enterprise identity providers (Microsoft Entra/Azure AD, ADFS) that don't include the email_verified claim in their OIDC tokens.

Problem: Enterprise identity providers often handle email verification through centralized identity management systems rather than including an email_verified claim in OIDC tokens. Fulcio currently requires this claim to be present and set to true for all email-type issuers, which blocks valid tokens from these enterprise providers and prevents internal Fulcio deployments in organizations using Microsoft Entra, ADFS, or similar systems.

Solution: Added a new optional skip-email-verification configuration field per OIDC issuer. When set to true, Fulcio will skip the email_verified claim check while still validating email format. This maintains security by default (requires verification) while allowing explicit opt-in for trusted internal providers.

Testing:

• All existing tests pass, confirming backward compatibility
• New tests cover scenarios with missing email_verified claims, explicit false values, and true values when skip is enabled
• Config parsing tests verify YAML and JSON deserialization of the new field

See issue #2219 for additional context.

Release Note

Added optional skip-email-verification configuration field for OIDC issuers to support enterprise identity providers (Microsoft Entra/Azure AD, ADFS) that don't include the email_verified claim in tokens. This field defaults to false to maintain existing security behavior. Operators can set it to true for trusted internal identity providers where email verification is handled through organizational identity management.

Configuration example:

  oidc-issuers:
    https://login.microsoftonline.com/TENANT_ID/v2.0:
      issuer-url: https://login.microsoftonline.com/TENANT_ID/v2.0
      client-id: your-client-id
      type: email
      skip-email-verification: true

Documentation

If we decide to go ahead with this, then i'll update the docs repo too.

[codecov]

Codecov Report

❌ Patch coverage is 86.20690% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 45.04%. Comparing base (cf238ac) to head (c397b74).
⚠️ Report is 517 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/generated/protobuf/fulcio.pb.go	0.00%	4 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2220       +/-   ##
===========================================
- Coverage   57.93%   45.04%   -12.90%     
===========================================
  Files          50       72       +22     
  Lines        3119     4689     +1570     
===========================================
+ Hits         1807     2112      +305     
- Misses       1154     2342     +1188     
- Partials      158      235       +77     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Hayden-IO]

Thanks!

[Hayden-IO]

Can you also update this function? This is used to output the server's configuration, e.g. http://fulcio.sigstore.dev/api/v2/configuration

[mogthesprog]

yeh definitely, will sort this evening.

[mogthesprog]

this should have been addressed now. make gen/lint/test has also been run and committed too

[Hayden-IO]

Thank you!