When the username fallback is enabled, the local account lookup only matched the local username against the OIDC `sub` claim. For providers that issue an opaque, random `sub` (e.g. PocketID's UUID), this never matched a real local username, so a duplicate user was created instead of linking the existing local account. The fallback now tries the `sub` first (preserving today's behaviour for IdPs where sub == username) and, if no match is found, the `preferred_username` claim (normalized the same way user creation normalizes it). When EmailFallback is also enabled, the email continues to be ANDed with each username candidate. Configuring an OIDC provider already delegates trust to it, and the username fallback is an admin-enabled opt-in, so matching the admin-trusted `preferred_username` is appropriate; `sub` matching is kept for backward compatibility. Fixes #2705 |
||
|---|---|---|
| .. | ||
| cron.go | ||
| main_test.go | ||
| openid.go | ||
| openid_test.go | ||
| providers.go | ||
| providers_test.go | ||