Allow subject to be listed in a provider's userid_claims with special precedence.

Signed-off-by: Jason Volk <jason@zemos.net>
2026-02-26 05:20:37 +00:00
parent 99bbcb34b6
commit 591014c190
3 changed files with 28 additions and 8 deletions
--- a/src/api/client/session/sso.rs
+++ b/src/api/client/session/sso.rs
@@ -597,10 +597,14 @@ async fn decide_user_id(
 		return Ok(user_id);
 	}

-	let allowed =
-		|claim: &str| provider.userid_claims.is_empty() || provider.userid_claims.contains(claim);
+	let explicit = |claim: &str| provider.userid_claims.contains(claim);
+
+	let allowed = |claim: &str| provider.userid_claims.is_empty() || explicit(claim);

 	let choices = [
+		explicit("sub")
+			.then_some(userinfo.sub.as_str())
+			.map(str::to_lowercase),
 		userinfo
 			.preferred_username
 			.as_deref()
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@@ -2714,9 +2714,17 @@ pub struct IdentityProvider {
 	/// compute a Matrix UserId for new registrations. Reviewing Tuwunel's
 	/// documentation will be necessary for a complete description in detail. An
 	/// empty array imposes no restriction here, avoiding generated fallbacks as
-	/// much as possible. For simplicity we reserve a claim called "unique"
-	/// which can be listed alone to ensure *only* generated ID's are used for
-	/// registrations.
+	/// much as possible.
+	///
+	/// For simplicity we reserve a claim called "unique" which can be listed
+	/// alone to ensure *only* generated ID's are used for registrations.
+	///
+	/// Note that listing the claim "sub" has special significance and will take
+	/// precedence over all other claims, listed or unlisted. "sub" is not
+	/// normally used to determine a UserId unless explicitly listed here.
+	///
+	/// As of now arbitrary claims cannot be listed here, we only recognize
+	/// specific hard-coded claims.
 	///
 	/// default: []
 	#[serde(default)]
--- a/tuwunel-example.toml
+++ b/tuwunel-example.toml
@@ -2320,9 +2320,17 @@
 # compute a Matrix UserId for new registrations. Reviewing Tuwunel's
 # documentation will be necessary for a complete description in detail. An
 # empty array imposes no restriction here, avoiding generated fallbacks as
-# much as possible. For simplicity we reserve a claim called "unique"
-# which can be listed alone to ensure *only* generated ID's are used for
-# registrations.
+# much as possible.
+#
+# For simplicity we reserve a claim called "unique" which can be listed
+# alone to ensure *only* generated ID's are used for registrations.
+#
+# Note that listing the claim "sub" has special significance and will take
+# precedence over all other claims, listed or unlisted. "sub" is not
+# normally used to determine a UserId unless explicitly listed here.
+#
+# As of now arbitrary claims cannot be listed here, we only recognize
+# specific hard-coded claims.
 #
 #userid_claims = []