studio/tuwunel
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Allow subject to be listed in a provider's userid_claims with special precedence.

Browse Source 
Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
2026-02-26 05:20:37 +00:00
parent 99bbcb34b6
commit 591014c190
3 changed files with 28 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/api/client/session/sso.rs
View File

@@ -597,10 +597,14 @@ async fn decide_user_id(
return Ok(user_id); return Ok(user_id);
} }
let allowed = let explicit = |claim: &str| provider.userid_claims.contains(claim);
|claim: &str| provider.userid_claims.is_empty() || provider.userid_claims.contains(claim);
let allowed = |claim: &str| provider.userid_claims.is_empty() || explicit(claim);
let choices = [ let choices = [
explicit("sub")
.then_some(userinfo.sub.as_str())
.map(str::to_lowercase),
userinfo userinfo
.preferred_username .preferred_username
.as_deref() .as_deref()

14
src/core/config/mod.rs
View File

@@ -2714,9 +2714,17 @@ pub struct IdentityProvider {
/// compute a Matrix UserId for new registrations. Reviewing Tuwunel's /// compute a Matrix UserId for new registrations. Reviewing Tuwunel's
/// documentation will be necessary for a complete description in detail. An /// documentation will be necessary for a complete description in detail. An
/// empty array imposes no restriction here, avoiding generated fallbacks as /// empty array imposes no restriction here, avoiding generated fallbacks as
/// much as possible. For simplicity we reserve a claim called "unique" /// much as possible.
/// which can be listed alone to ensure *only* generated ID's are used for ///
/// registrations. /// For simplicity we reserve a claim called "unique" which can be listed
/// alone to ensure *only* generated ID's are used for registrations.
///
/// Note that listing the claim "sub" has special significance and will take
/// precedence over all other claims, listed or unlisted. "sub" is not
/// normally used to determine a UserId unless explicitly listed here.
///
/// As of now arbitrary claims cannot be listed here, we only recognize
/// specific hard-coded claims.
/// ///
/// default: [] /// default: []
#[serde(default)] #[serde(default)]

14
tuwunel-example.toml
View File

@@ -2320,9 +2320,17 @@
# compute a Matrix UserId for new registrations. Reviewing Tuwunel's # compute a Matrix UserId for new registrations. Reviewing Tuwunel's
# documentation will be necessary for a complete description in detail. An # documentation will be necessary for a complete description in detail. An
# empty array imposes no restriction here, avoiding generated fallbacks as # empty array imposes no restriction here, avoiding generated fallbacks as
# much as possible. For simplicity we reserve a claim called "unique" # much as possible.
# which can be listed alone to ensure *only* generated ID's are used for #
# registrations. # For simplicity we reserve a claim called "unique" which can be listed
# alone to ensure *only* generated ID's are used for registrations.
#
# Note that listing the claim "sub" has special significance and will take
# precedence over all other claims, listed or unlisted. "sub" is not
# normally used to determine a UserId unless explicitly listed here.
#
# As of now arbitrary claims cannot be listed here, we only recognize
# specific hard-coded claims.
# #
#userid_claims = [] #userid_claims = []