diff --git a/server/auth/OidcAuthStrategy.js b/server/auth/OidcAuthStrategy.js
index 5e48917af..85003fe35 100644
--- a/server/auth/OidcAuthStrategy.js
+++ b/server/auth/OidcAuthStrategy.js
@@ -168,7 +168,7 @@ class OidcAuthStrategy {
       }
 
       // Enforce email_verified check on every login if configured
-      if (global.ServerSettings.authOpenIDRequireVerifiedEmail && userinfo.email_verified === false) {
+      if (global.ServerSettings.authOpenIDRequireVerifiedEmail && userinfo.email_verified !== true) {
         throw new AuthError('Email is not verified', 401)
       }
 
diff --git a/test/server/auth/OidcAuthStrategy.test.js b/test/server/auth/OidcAuthStrategy.test.js
index 29afc3196..801e1d5c6 100644
--- a/test/server/auth/OidcAuthStrategy.test.js
+++ b/test/server/auth/OidcAuthStrategy.test.js
@@ -481,14 +481,16 @@ describe('OidcAuthStrategy', function () {
       expect(result).to.equal(user)
     })
 
-    it('should allow login when email_verified is missing and enforcement is on', async function () {
-      // Only reject when explicitly false, not when absent
+    it('should reject login when email_verified is missing and enforcement is on', async function () {
       global.ServerSettings.authOpenIDRequireVerifiedEmail = true
-      const user = makeUser()
-      DatabaseStub.userModel.findUserFromOpenIdUserInfo.resolves(user)
 
-      const result = await strategy.verifyUser({ id_token: 'tok' }, { sub: 'sub-1', email: 'a@b.com' })
-      expect(result).to.equal(user)
+      try {
+        await strategy.verifyUser({ id_token: 'tok' }, { sub: 'sub-1', email: 'a@b.com' })
+        expect.fail('should have thrown')
+      } catch (err) {
+        expect(err.message).to.equal('Email is not verified')
+        expect(err.statusCode).to.equal(401)
+      }
     })
 
     it('should auto-register new user when enabled', async function () {