Merge fd1fcf8d2c into 690c41e33b

Specify that the /openid/userinfo return value must be validated
2026-04-29 13:54:10 +02:00 · 2025-12-30 21:32:28 +02:00 · 2025-12-30 17:57:44 +02:00
2 changed files with 7 additions and 1 deletions
--- a/changelogs/server_server/newsfragments/2288.clarification
+++ b/changelogs/server_server/newsfragments/2288.clarification
@ -0,0 +1 @@
+Specify that callers of `/_matrix/federation/v1/openid/userinfo` must validate the returned user ID.
--- a/data/api/server-server/openid.yaml
+++ b/data/api/server-server/openid.yaml
@ -43,7 +43,12 @@ paths:
                properties:
                  sub:
                    type: string
-                    description: The Matrix User ID who generated the token.
+                    description: |
+                      The Matrix User ID who generated the token.
+
+                      The caller MUST validate that the returned user ID is on the server they
+                      called (i.e. if you make a request to example.com and it returns
+                      `@alice:matrix.org`, the result is invalid).
                    example: "@alice:example.com"
                required:
                  - sub
Author	SHA1	Message	Date
Tulir Asokan	43cf33a43b	Merge `fd1fcf8d2c` into `690c41e33b`	2025-12-30 21:32:28 +02:00
Tulir Asokan	fd1fcf8d2c	Specify that the /openid/userinfo return value must be validated	2025-12-30 17:57:44 +02:00
				`@ -0,0 +1 @@`
				Specify that callers of `/_matrix/federation/v1/openid/userinfo` must validate the returned user ID.