Specify that the /openid/userinfo return value must be validated (#2288)

2026-01-11 19:46:27 +00:00 · 2026-01-06 19:23:19 +02:00 · 2026-01-06 19:23:19 +02:00 · 43c65786eb
commit 43c65786eb
parent f2b68c7163
2 changed files with 7 additions and 1 deletions
--- a/changelogs/server_server/newsfragments/2288.clarification
+++ b/changelogs/server_server/newsfragments/2288.clarification
@ -0,0 +1 @@
+Specify that callers of `/_matrix/federation/v1/openid/userinfo` must validate the returned user ID.
--- a/data/api/server-server/openid.yaml
+++ b/data/api/server-server/openid.yaml
@ -43,7 +43,12 @@ paths:
                properties:
                  sub:
                    type: string
-                    description: The Matrix User ID who generated the token.
+                    description: |
+                      The Matrix User ID who generated the token.
+
+                      The caller MUST validate that the returned user ID is on the server they
+                      called (i.e. if you make a request to example.com and it returns
+                      `@alice:matrix.org`, the result is invalid).
                    example: "@alice:example.com"
                required:
                  - sub
				`@ -0,0 +1 @@`
				Specify that callers of `/_matrix/federation/v1/openid/userinfo` must validate the returned user ID.