From 591014c190b6a4b351513554f735d66dd4abffd9 Mon Sep 17 00:00:00 2001
From: Jason Volk <jason@zemos.net>
Date: Thu, 26 Feb 2026 05:20:37 +0000
Subject: [PATCH] Allow subject to be listed in a provider's `userid_claims`
 with special precedence.

Signed-off-by: Jason Volk <jason@zemos.net>
---
 src/api/client/session/sso.rs |  8 ++++++--
 src/core/config/mod.rs        | 14 +++++++++++---
 tuwunel-example.toml          | 14 +++++++++++---
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/src/api/client/session/sso.rs b/src/api/client/session/sso.rs
index a4c17da9..cce15996 100644
--- a/src/api/client/session/sso.rs
+++ b/src/api/client/session/sso.rs
@@ -597,10 +597,14 @@ async fn decide_user_id(
 		return Ok(user_id);
 	}
 
-	let allowed =
-		|claim: &str| provider.userid_claims.is_empty() || provider.userid_claims.contains(claim);
+	let explicit = |claim: &str| provider.userid_claims.contains(claim);
+
+	let allowed = |claim: &str| provider.userid_claims.is_empty() || explicit(claim);
 
 	let choices = [
+		explicit("sub")
+			.then_some(userinfo.sub.as_str())
+			.map(str::to_lowercase),
 		userinfo
 			.preferred_username
 			.as_deref()
diff --git a/src/core/config/mod.rs b/src/core/config/mod.rs
index 2c9e5965..e7caac85 100644
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@@ -2714,9 +2714,17 @@ pub struct IdentityProvider {
 	/// compute a Matrix UserId for new registrations. Reviewing Tuwunel's
 	/// documentation will be necessary for a complete description in detail. An
 	/// empty array imposes no restriction here, avoiding generated fallbacks as
-	/// much as possible. For simplicity we reserve a claim called "unique"
-	/// which can be listed alone to ensure *only* generated ID's are used for
-	/// registrations.
+	/// much as possible.
+	///
+	/// For simplicity we reserve a claim called "unique" which can be listed
+	/// alone to ensure *only* generated ID's are used for registrations.
+	///
+	/// Note that listing the claim "sub" has special significance and will take
+	/// precedence over all other claims, listed or unlisted. "sub" is not
+	/// normally used to determine a UserId unless explicitly listed here.
+	///
+	/// As of now arbitrary claims cannot be listed here, we only recognize
+	/// specific hard-coded claims.
 	///
 	/// default: []
 	#[serde(default)]
diff --git a/tuwunel-example.toml b/tuwunel-example.toml
index f2c7d1ea..9b9b9e18 100644
--- a/tuwunel-example.toml
+++ b/tuwunel-example.toml
@@ -2320,9 +2320,17 @@
 # compute a Matrix UserId for new registrations. Reviewing Tuwunel's
 # documentation will be necessary for a complete description in detail. An
 # empty array imposes no restriction here, avoiding generated fallbacks as
-# much as possible. For simplicity we reserve a claim called "unique"
-# which can be listed alone to ensure *only* generated ID's are used for
-# registrations.
+# much as possible.
+#
+# For simplicity we reserve a claim called "unique" which can be listed
+# alone to ensure *only* generated ID's are used for registrations.
+#
+# Note that listing the claim "sub" has special significance and will take
+# precedence over all other claims, listed or unlisted. "sub" is not
+# normally used to determine a UserId unless explicitly listed here.
+#
+# As of now arbitrary claims cannot be listed here, we only recognize
+# specific hard-coded claims.
 #
 #userid_claims = []