vikunja/pkg/modules
kolaente 0a407e5656 fix(auth): match OIDC username fallback on preferred_username as well as subject
When the username fallback is enabled, the local account lookup only matched
the local username against the OIDC `sub` claim. For providers that issue an
opaque, random `sub` (e.g. PocketID's UUID), this never matched a real local
username, so a duplicate user was created instead of linking the existing
local account.

The fallback now tries the `sub` first (preserving today's behaviour for IdPs
where sub == username) and, if no match is found, the `preferred_username`
claim (normalized the same way user creation normalizes it). When EmailFallback
is also enabled, the email continues to be ANDed with each username candidate.

Configuring an OIDC provider already delegates trust to it, and the username
fallback is an admin-enabled opt-in, so matching the admin-trusted
`preferred_username` is appropriate; `sub` matching is kept for backward
compatibility.

Fixes #2705
2026-06-19 16:31:34 +02:00
..
auth fix(auth): match OIDC username fallback on preferred_username as well as subject 2026-06-19 16:31:34 +02:00
avatar fix(api/v2): reject non-decodable images (e.g. SVG) on avatar upload with 400 2026-06-02 11:55:25 +00:00
background refactor(background): extract download + unsplash-proxy logic for reuse 2026-06-17 11:31:50 +00:00
dump chore(lint): suppress known gosec false positives 2026-03-23 16:23:15 +01:00
humaecho5 feat: vendor humaecho adapter for echo/v5 2026-05-31 12:56:57 +00:00
keyvalue fix(keyvalue): treat undecodable cached values as a cache miss 2026-05-30 13:48:01 +00:00
migration refactor(migration): extract file/CSV migrate orchestration into shared funcs 2026-06-12 08:51:19 +00:00