We started to use ipsilon on id.opensuse.org with an LDAP backend that ignores capitalization in usernames. There we found that openid URLs would contain the capitalization the user provided at login and not the one from LDAP.
So when I logged in as bMwiedemann instead of bmwiedemann, I got another prompt to authorize the app and in the app I was then known as another user.
ipsilon should use what is in LDAP and not what the user used for login this time to guarantee consistent results.
I'd like @simo's thoughts on this too, but I think I'm not supposed to change this. At least based on the OpenID spec on normalization, I don't think I'm supposed to alter the returned data informed by the URL. I believe with OpenID Connect, we actually do what you're asking, because we return that information as the sub property for OIDC consumers to use. However, plain OpenID is considerably more restrictive...
sub
Metadata Update from @ngompa: - Custom field component adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
It is about what username ipsilon fills into identity url template https://pagure.io/ipsilon/blob/master/f/ipsilon/providers/openidp.py#_48
identity url template
currently it is what the user provides, not what LDAP holds as username.
This is a tough one, I can see users wanting it both ways. But I would not object to having a config option to force name canonicalization based on what's in the backend. The problem is whether this can cause issue with some protocol, but if that's the case, then we'll just have to recommend not using the option for the protocol.
Log in to comment on this ticket.