From decf0fc8ceeb8466d3e61040fffcc1b5aed73e26 Mon Sep 17 00:00:00 2001
From: Cristian Le <git@lecris.me>
Date: Wed, 5 May 2021 08:12:17 +0900
Subject: [PATCH] Revert using preferred_username

It might present a security issue if the users can change this value for themselves. Needs further investigation
---
 authority/provisioner/oidc.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go
index 79a10ffd..33988a0a 100644
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@@ -389,7 +389,8 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
 
 	// Get the identity using either the default identityFunc or one injected
 	// externally. Note that the PreferredUsername might be empty.
-	iden, err := o.getIdentityFunc(ctx, o, claims.Email, claims.PreferredUsername)
+	// TBD: Would preferred_username present a safety issue here?
+	iden, err := o.getIdentityFunc(ctx, o, claims.Email)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHSign")
 	}