vikunja/pkg
kolaente 0a407e5656 fix(auth): match OIDC username fallback on preferred_username as well as subject
When the username fallback is enabled, the local account lookup only matched
the local username against the OIDC `sub` claim. For providers that issue an
opaque, random `sub` (e.g. PocketID's UUID), this never matched a real local
username, so a duplicate user was created instead of linking the existing
local account.

The fallback now tries the `sub` first (preserving today's behaviour for IdPs
where sub == username) and, if no match is found, the `preferred_username`
claim (normalized the same way user creation normalizes it). When EmailFallback
is also enabled, the email continues to be ANDed with each username candidate.

Configuring an OIDC provider already delegates trust to it, and the username
fallback is an admin-enabled opt-in, so matching the admin-trusted
`preferred_username` is appropriate; `sub` matching is kept for backward
compatibility.

Fixes #2705
2026-06-19 16:31:34 +02:00
..
audit refactor(events): use a concrete doer on project and team events 2026-06-12 08:56:08 +00:00
caldav fix(caldav): escape user-controlled strings per RFC 5545 in VCALENDAR output 2026-04-09 15:44:04 +00:00
caldavtests fix(caldav): skip tests for known CalDAV bugs and fix timing issues 2026-04-02 11:34:55 +00:00
cmd fix(cli): guard last admin on scheduled CLI deletion path 2026-04-20 18:55:06 +00:00
config feat(config): add audit logging config keys 2026-06-12 08:56:08 +00:00
cron fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
db fix(db): interpolate table identifiers in truncate instead of binding them 2026-06-17 12:13:50 +00:00
doctor feat(auth): enforce OpenID Connect issuer uniqueness across providers 2026-03-30 22:41:50 +00:00
e2etests test(webhook): assert bad webhook is retried in no-duplicate test 2026-04-09 09:26:04 +00:00
events fix(notifications): use full user so notifications show display name 2026-06-18 20:57:05 +00:00
files docs(api/v2): tag task attachment fields for the v2 schema 2026-06-10 10:22:39 +00:00
health feat: introduce shared health check logic (#1073) 2025-07-02 21:01:41 +00:00
i18n chore(i18n): update translations via Crowdin 2026-05-27 02:31:52 +00:00
initialize feat(audit): wire request-meta middleware and writer initialization 2026-06-12 08:56:08 +00:00
license fix(license): degrade to free when servers unreachable or key rejected 2026-04-20 18:55:06 +00:00
log fix(mail): guard log calls in GetMailDomain and fix hostname-dependent tests 2026-04-03 18:30:39 +00:00
mail feat: add Atom feed for user notifications with API token auth (#2758) 2026-05-15 17:25:09 +02:00
metrics refactor(metrics): count entities on demand with a TTL cache 2026-05-30 13:48:01 +00:00
migration fix(migration): fail loudly if a deduplicated position pair has no row 2026-06-17 21:16:41 +00:00
models feat(projects): make duplicating shares opt-in (#2932) 2026-06-19 10:15:58 +02:00
modules fix(auth): match OIDC username fallback on preferred_username as well as subject 2026-06-19 16:31:34 +02:00
notifications fix(notifications): strip remote images from notification emails 2026-06-11 06:53:37 +00:00
plugins test(plugins): add yaegi plugin integration tests 2026-03-30 20:44:46 +00:00
red fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
routes feat(projects): make duplicating shares opt-in (#2932) 2026-06-19 10:15:58 +02:00
swagger [skip ci] Updated swagger docs 2026-06-17 19:43:01 +00:00
user feat(api/v2): add totp qr code endpoint 2026-06-17 18:39:38 +00:00
utils fix: add timeouts to Gravatar, Unsplash, and SSRF-safe HTTP clients 2026-04-09 07:31:08 +00:00
version fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
web fix(files): never cache file downloads in v1 or v2 2026-06-17 18:39:38 +00:00
websocket feat(time-tracking): let clients subscribe to timer events 2026-06-08 13:54:09 +00:00
webtests feat(api/v2): expose websocket endpoint under /api/v2 2026-06-17 20:35:28 +00:00
yaegi_symbols refactor(user): remove the now-empty listeners file 2026-05-30 13:48:01 +00:00