No verification email sent when linking an external user to an existing local user with unverified email

[rwawr]

Describe the bug

I have a site that is configured to allow both local password login/registration and external authentication/registration with Open ID Connect. I noticed that if I register a user locally but don't confirm the email, then register through the external identity provider with the same email, the local user is found, and I am redirected to the page indicating that a verification email was sent, but no email is ever sent. It looks like there's just a call missing to send that email before redirecting to the EmailConfirmationController.ConfirmEmailSent action.

Orchard Core version

2.2.0

To Reproduce

1. Cook a fresh site using the Agency recipe.
2. Enable the OrchardCore.Users.Registration feature, the OrchardCore.Email.Smtp feature, and the OrchardCore.OpenId.Client feature.
3. Configure the Email settings such that emails can be sent by the site.
4. Configure the Open ID client settings under Security > OpenID Connect > Settings > Authentication client. I used an Entra External ID tenant configured to allow sign up.
5. Under Security > Settings > User Registration, check the "Users must verify their email address" option.
6. Go to the registration page and register a new user. Verify that the account verification email was sent, but do not click the link to verify the account.
7. Go to the sign-in page, then attempt to sign in/sign up with the external provider using an account with the same email that the local user was registered with.
8. In ExternalAuthenticationsController.ExternalLoginCallback, no user is found matching the login provider/provider key, but a user with a matching email is found. The "Users must verify their email address" option is set to true, and the matched user does not have the email address verified, so I am redirected to the EmailConfirmationController.ConfirmEmailSent action, but no email has actually been sent.

I think this is just missing a call to ControllerExtensions.SendEmailConfirmationTokenAsync before the redirect to the page indicating the confirmation email has been sent. In the two other places in that controller where there are redirects to the ConfirmEmailSent page, ControllerExtensions.RegisterUser is called beforehand, which includes a call to send the verification email.

Happy to make a PR for this when I have time, but wanted to at least get this written up while it's on my mind.

Expected behavior

When a user attempts to sign in with an external identity that matches the email of an existing user for which the email is not verified, a verification email should be sent before the user is redirected to the page indicating that an account verification email has been sent.

[hishamco]

Has any email been sent to the local user?

[rwawr]

I get the expected verification email if I go through local registration and enter a username/password/email, so email settings are configured correctly and are being sent to local users. But if I register with an external identity provider, and the callback finds a local user with a matching but unverified email, it does not send an account verification email, which seems like a bug, since it redirects to the page indicating that a verification email has been sent.

[hishamco]

I will try to reproduce the issue with the GitHub or X provider if I have time

[github-actions[bot]]

We triaged this issue and set the milestone according to the priority we think is appropriate (see the docs on how we triage and prioritize issues).

This indicates when the core team may start working on it. However, if you'd like to contribute, we'd warmly welcome you to do that anytime. See our guide on contributions here.