From bb1e051b278650cd7f7cfe00df91070e74aca21c Mon Sep 17 00:00:00 2001 From: Cristian Le Date: Wed, 5 May 2021 08:12:17 +0900 Subject: [PATCH] Revert using preferred_username It might present a security issue if the users can change this value for themselves. Needs further investigation --- authority/provisioner/oidc.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go index 79a10ffd..33988a0a 100644 --- a/authority/provisioner/oidc.go +++ b/authority/provisioner/oidc.go @@ -389,7 +389,8 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption // Get the identity using either the default identityFunc or one injected // externally. Note that the PreferredUsername might be empty. - iden, err := o.getIdentityFunc(ctx, o, claims.Email, claims.PreferredUsername) + // TBD: Would preferred_username present a safety issue here? + iden, err := o.getIdentityFunc(ctx, o, claims.Email) if err != nil { return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHSign") }