goauthentik/authentik

Improve Twitter/X OAuth provider to support fetching user email in the X API v2

Open

#18466 opened on Dec 1, 2025

View on GitHub
 (1 comment) (2 reactions) (0 assignees)Python (4,050 stars) (319 forks)batch import
enhancementenhancement/confirmedgood first issuepr_wanted

Description

Is your feature request related to a problem?

Currently, the Twitter/X OAuth source in Authentik does not fetch the user email (because not requested). This prevents the system from populating the email field for users authenticating via Twitter/X. Unlike Facebook, which specifies custom fields (e.g., email) via the fields query parameter and handle the email scope in get_additional_parameters method, the Twitter provider does not handle it.

Here is the announcing support for email address retrieval with OAuth 2.0 in the X API v2.

Important: To receive the email from X, the app must have the “Request email from users” permission enabled in the X Developer dashboard. Without this permission, the API will not return the email even if requested.

Describe the solution you'd like

Ideally, have the possibility for each source to add custom url parameters for the profile_url. Like today, we have the possibility to add custom scopes for each source.

Describe alternatives that you've considered

  • Updating the Twitter provider to request the confirmed_email field via the profile URL: https://api.twitter.com/2/users/me?user.fields=confirmed_email
  • To be able to fetch email, we need to update the OAuth scopes: tweet.read users.read users.email.
  • Mapping the confirmed_email field from the API response to the email property in Authentik.

The idea is to populate the email field for Twitter/X users and ideally support custom fields in a consistent way across providers.

Additional context

  • Facebook provider file:
"scope": ["email"],
...
profile_url = "https://graph.facebook.com/v7.0/me?fields=id,name,email"
  • Twitter provider file:
"scope": ["users.read", "tweet.read"],
...
profile_url = "https://api.twitter.com/2/users/me"

  • To understand how is defined the profile_url in each provider: link

  • To understand how profile_url is consumed in the client: link

Contributor guide

Tech stack
pythonrest api
Domain
apiauthentication
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic PythonOAuth2 understandingAuthentik codebase overview
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
70
Research direction
Start by examining the Facebook OAuth provider at authentik/sources/oauth/types/facebook.py to see how it fetches email. Then modify the Twitter provider at authentik/sources/oauth/types/twitter.py: update the 'scope' list to include 'users.email', and change the profile url to 'https://api.twitter.com/2/users/me?user.fields=confirmed email'. Finally, ensure the email field from the API response is mapped to the user's email property, potentially by adding a field mapping. Check the OAuth2 client code at clients/oauth2.py to understand how profile url is used.