tripit: tripit-app provider issues sub = user email (hybrid-auth identity fix)
Review of tripit slice #50 caught that the provider's default sub_mode (hashed_user_id) would make Shell JWTs carry a sub that never matches the email-keyed prod user rows - first app login would either 500 in placeholder reconciliation or split the user's identity. sub_mode = user_email makes bearer and forward-auth resolve the same row. Part of the Android APK work (tripit #50). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
624747cc46
commit
765cfe803f
1 changed files with 5 additions and 0 deletions
|
|
@ -51,6 +51,11 @@ resource "authentik_provider_oauth2" "tripit_app" {
|
|||
name = "tripit-app"
|
||||
client_id = "tripit-app"
|
||||
client_type = "public"
|
||||
# sub = the user's EMAIL, not the default hashed_user_id: tripit prod users
|
||||
# are email-keyed (forwardauth provisioned id == email), and the backend's
|
||||
# hybrid bearer arm must resolve the SAME user row, not mint a hash-keyed
|
||||
# twin (review finding, tripit #50).
|
||||
sub_mode = "user_email"
|
||||
|
||||
authorization_flow = data.authentik_flow.default_authorization_implicit_consent.id
|
||||
invalidation_flow = data.authentik_flow.default_provider_invalidation.id
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue