diff --git a/server/flow.go b/server/flow.go
index dbdf982..1d7e3a3 100644
--- a/server/flow.go
+++ b/server/flow.go
@@ -14,6 +14,7 @@ import (
 	"github.com/julienschmidt/httprouter"
 	"golang.org/x/oauth2"
 	"net/http"
+	"net/mail"
 	"strings"
 	"time"
 )
@@ -45,6 +46,9 @@ func (h *HttpServer) flowPopupPost(rw http.ResponseWriter, req *http.Request, _
 		http.Error(rw, "No login service defined for this username", http.StatusBadRequest)
 		return
 	}
+	// the @ must exist if the service is defined
+	n := strings.IndexByte(loginName, '@')
+	loginUn := loginName[:n]
 
 	targetOrigin := req.PostFormValue("origin")
 	if _, found := h.services[targetOrigin]; !found {
@@ -62,7 +66,7 @@ func (h *HttpServer) flowPopupPost(rw http.ResponseWriter, req *http.Request, _
 	// generate oauth2 config and redirect to authorize URL
 	oa2conf := login.OAuth2Config
 	oa2conf.RedirectURL = h.conf.BaseUrl + "/callback"
-	nextUrl := oa2conf.AuthCodeURL(state, oauth2.SetAuthURLParam("login_name", loginName))
+	nextUrl := oa2conf.AuthCodeURL(state, oauth2.SetAuthURLParam("login_name", loginUn))
 	http.Redirect(rw, req, nextUrl, http.StatusFound)
 }
 
@@ -125,6 +129,26 @@ func (h *HttpServer) flowCallback(rw http.ResponseWriter, req *http.Request, _ h
 	}
 
 	ps := claims.NewPermStorage()
+
+	if verified, ok := v3["email_verified"].(bool); ok && verified {
+		if mailAddress, ok := v3["email"].(string); ok {
+			address, err := mail.ParseAddress(mailAddress)
+			if err != nil {
+				http.Error(rw, "Invalid email in userinfo", http.StatusInternalServerError)
+				return
+			}
+			n := strings.IndexByte(address.Address, '@')
+			if n == -1 {
+				goto noEmailSupport
+			}
+			if address.Address[n+1:] != v.sso.Config.Namespace {
+				goto noEmailSupport
+			}
+			ps.Set("mail-client")
+		}
+	}
+
+noEmailSupport:
 	nsSub := sub + "@" + v.sso.Config.Namespace
 	ati := uuidNewStringAti()
 	accessToken, err := h.signer.GenerateJwt(nsSub, ati, jwt.ClaimStrings{aud}, 15*time.Minute, auth.AccessTokenClaims{
diff --git a/test-client/index.html b/test-client/index.html
index a6ec13a..22f1f36 100644
--- a/test-client/index.html
+++ b/test-client/index.html
@@ -3,60 +3,82 @@
 <head>
     <title>Test Client</title>
     <script>
-var currentLoginPopup = null;
+        let currentLoginPopup = null;
 
-window.addEventListener("message", function (event) {
-  if (event.origin !== "http:\/\/localhost:9090") return;
-  if (isObject(event.data)) {
-    document.getElementById("someTextArea").textContent = JSON.stringify(event.data, null, 2);
-    if(currentLoginPopup) currentLoginPopup.close();
-    return;
-  }
-  alert("Failed to log user in: the login data was probably corrupted");
-});
+        window.addEventListener("message", function (event) {
+            if (event.origin !== "http:\/\/localhost:9090") return;
+            if (isObject(event.data)) {
+                document.getElementById("someTextArea").textContent = JSON.stringify(event.data, null, 2);
+                let perms = document.getElementById("somePerms");
+                perms.childNodes.forEach(function (x) {
+                    x.clear();
+                });
+                let jwt = parseJwt(event.data.tokens.access);
+                if (jwt.per != null) {
+                    jwt.per.forEach(function (x) {
+                        let a = document.createElement("li");
+                        a.textContent = x;
+                        perms.appendChild(a);
+                    });
+                }
 
-function isObject(obj) {
-  return obj != null && obj.constructor.name === "Object"
-}
+                if (currentLoginPopup) currentLoginPopup.close();
+                return;
+            }
+            alert("Failed to log user in: the login data was probably corrupted");
+        });
 
-function popupCenterScreen(url, title, w, h, focus) {
-  const top = (screen.availHeight - h) / 4, left = (screen.availWidth - w) / 2;
-  const popup = openWindow(url, title, `scrollbars=yes,width=${w},height=${h},top=${top},left=${left}`);
-  if (focus === true && window.focus) popup.focus();
-  return popup;
-}
+        function parseJwt(token) {
+            const base64Url = token.split('.')[1];
+            const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
+            const jsonPayload = decodeURIComponent(window.atob(base64).split('').map(function (c) {
+                return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);
+            }).join(''));
+            return JSON.parse(jsonPayload);
+        }
 
-function openWindow(url, winnm, options) {
-  var wTop = firstAvailableValue([window.screen.availTop, window.screenY, window.screenTop, 0]);
-  var wLeft = firstAvailableValue([window.screen.availLeft, window.screenX, window.screenLeft, 0]);
-  var top = 0, left = 0;
-  var result;
-  if ((result = /top=(\d+)/g.exec(options))) top = parseInt(result[1]);
-  if ((result = /left=(\d+)/g.exec(options))) left = parseInt(result[1]);
-  if (options) {
-    options = options.replace("top=" + top, "top=" + (parseInt(top) + wTop));
-    options = options.replace("left=" + left, "left=" + (parseInt(left) + wLeft));
-    w = window.open(url, winnm, options);
-  } else w = window.open(url, winnm);
-  return w;
-}
+        function isObject(obj) {
+            return obj != null && obj.constructor.name === "Object"
+        }
 
-function firstAvailableValue(arr) {
-  for (var i = 0; i < arr.length; i++)
-    if (typeof arr[i] != 'undefined')
-      return arr[i];
-}
+        function popupCenterScreen(url, title, w, h, focus) {
+            const top = (screen.availHeight - h) / 4, left = (screen.availWidth - w) / 2;
+            const popup = openWindow(url, title, `scrollbars=yes,width=${w},height=${h},top=${top},left=${left}`);
+            if (focus === true && window.focus) popup.focus();
+            return popup;
+        }
 
-function doThisThing() {
-  if(currentLoginPopup) currentLoginPopup.close();
-  currentLoginPopup = popupCenterScreen('http://localhost:9090/popup?origin='+encodeURIComponent("http://localhost:2020"), 'Login with Lavender', 500, 500, false);
-}
+        function openWindow(url, winnm, options) {
+            var wTop = firstAvailableValue([window.screen.availTop, window.screenY, window.screenTop, 0]);
+            var wLeft = firstAvailableValue([window.screen.availLeft, window.screenX, window.screenLeft, 0]);
+            var top = 0, left = 0;
+            var result;
+            if ((result = /top=(\d+)/g.exec(options))) top = parseInt(result[1]);
+            if ((result = /left=(\d+)/g.exec(options))) left = parseInt(result[1]);
+            if (options) {
+                options = options.replace("top=" + top, "top=" + (parseInt(top) + wTop));
+                options = options.replace("left=" + left, "left=" + (parseInt(left) + wLeft));
+                w = window.open(url, winnm, options);
+            } else w = window.open(url, winnm);
+            return w;
+        }
+
+        function firstAvailableValue(arr) {
+            for (var i = 0; i < arr.length; i++)
+                if (typeof arr[i] != 'undefined')
+                    return arr[i];
+        }
+
+        function doThisThing() {
+            if (currentLoginPopup) currentLoginPopup.close();
+            currentLoginPopup = popupCenterScreen('http://localhost:9090/popup?origin=' + encodeURIComponent("http://localhost:2020"), 'Login with Lavender', 500, 500, false);
+        }
     </script>
     <style>
-#someTextArea {
-  width: 400px;
-  height: 400px;
-}
+        #someTextArea {
+            width: 400px;
+            height: 400px;
+        }
     </style>
 </head>
 <body>
@@ -67,8 +89,14 @@ function doThisThing() {
     <div>
         <button onclick="doThisThing();">Login</button>
     </div>
-    <div>
-        <textarea id="someTextArea"></textarea>
+    <div style="display:flex; gap: 2em;">
+        <div>
+            <label for="someTextArea"></label><textarea id="someTextArea"></textarea>
+        </div>
+        <div>
+            <p>Permissions:</p>
+            <ul id="somePerms"></ul>
+        </div>
     </div>
 </main>
 </body>