Allow subject to be listed in a provider's userid_claims with special precedence.

Signed-off-by: Jason Volk <jason@zemos.net>
2026-02-26 05:20:37 +00:00
parent 99bbcb34b6
commit 591014c190
3 changed files with 28 additions and 8 deletions
--- a/src/api/client/session/sso.rs
+++ b/src/api/client/session/sso.rs
@@ -597,10 +597,14 @@ async fn decide_user_id(
 		return Ok(user_id);
 	}

-	let allowed =
-		|claim: &str| provider.userid_claims.is_empty() || provider.userid_claims.contains(claim);
+	let explicit = |claim: &str| provider.userid_claims.contains(claim);
+
+	let allowed = |claim: &str| provider.userid_claims.is_empty() || explicit(claim);

 	let choices = [
+		explicit("sub")
+			.then_some(userinfo.sub.as_str())
+			.map(str::to_lowercase),
 		userinfo
 			.preferred_username
 			.as_deref()