AshAuthentication.Strategy.OAuth2.UserResolver (ash_authentication v5.0.0-rc.11)

Copy Markdown View Source

Resolves which local user an OAuth2/OIDC sign-in belongs to.

Per OpenID Connect Core only the iss/sub claim combination uniquely and stably identifies an end-user, so matching is driven by the user identity resource - never by the email address.

Given the changeset for an OAuth2/OIDC register (upsert) action, the rules are:

  1. If an identity already exists for this (strategy, sub), the sign-in belongs to that user. The changeset's upsert keys are rewritten to that user's values so the upsert resolves to them (and the provider cannot change a user's email).

  2. Otherwise (a sub not seen before):

    • If no local account has the provider's email - proceed (a new account is created; if the email is not trusted and a confirmation add-on is present, that add-on gates it).
    • If an account with that email already has an identity for this strategy (a different sub) - reject. A single account cannot have two identities for the same provider auto-linked.
    • If the strategy's email_verified claim can be trusted (trust_email_verified? and the claim is true) - link the sign-in to that account.
    • Otherwise the email cannot be trusted to prove ownership. With on_untrusted_email_match :reject (the default) the sign-in is rejected and the user must sign in with their existing method to link the provider. With on_untrusted_email_match :confirm the upsert is aborted with a ConfirmationRequired error so the caller can issue a confirmation to the existing account's email and link the provider only once the recipient proves ownership.

Rejections are surfaced as a generic AuthenticationFailed error to avoid leaking which email addresses are registered.