Specify that the /openid/userinfo return value must be validated

2026-03-06 19:54:09 +01:00 · 2025-12-30 17:57:44 +02:00 · 2025-12-30 17:57:44 +02:00 · fd1fcf8d2c
parent 2f6867348f
commit fd1fcf8d2c
2 changed files with 7 additions and 1 deletions
--- a/changelogs/server_server/newsfragments/2288.clarification
+++ b/changelogs/server_server/newsfragments/2288.clarification
@ -0,0 +1 @@
 Specify that callers of `/_matrix/federation/v1/openid/userinfo` must validate the returned user ID.
--- a/data/api/server-server/openid.yaml
+++ b/data/api/server-server/openid.yaml
@ -43,7 +43,12 @@ paths:
                properties:
                  sub:
                    type: string
-                    description: The Matrix User ID who generated the token.
+                    description: |
                      The Matrix User ID who generated the token.
                      The caller MUST validate that the returned user ID is on the server they
                      called (i.e. if you make a request to example.com and it returns
                      `@alice:matrix.org`, the result is invalid).
                    example: "@alice:example.com"
                required:
                  - sub
		`@ -0,0 +1 @@`
							Specify that callers of `/_matrix/federation/v1/openid/userinfo` must validate the returned user ID.