oidc credentials are not checked for #7250
Description
Description
currently trilium depends entirely on the idp to not allow access unless i have it.
although im not sure if this is the intended behavior or not, i do feel like at least some sort of validation should also happen on trilium site, considering trilium actually saves the credentials but never uses them apart from displaying in the ui.
steps to reproduce
- setup an idp (i use zitadel, but this can most likely be reproduced with basically anything)
- setup oidc in trilium with user A
- log out of idp, log in with user B
- try logging into trilium with user B
expected
i get an access denied error
actual
i see my notes
if i patch trilium and add console.log({...n.oidc.user}) here, we can clearly see that the sub/email do differ, but trilium gladly accepts us
// logging in with user A
{
sid: 'V1_319531883744460802',
client_id: '341051034975666179',
email: '[redacted]',
email_verified: true,
family_name: '.',
given_name: 'alina 🌸',
groups: [ 'member' ],
locale: null,
name: 'alina 🌸',
picture: '[redacted]',
preferred_username: 'teidesu',
sub: '299735011228712984',
updated_at: 1735316808
}
// logging in with user B
{
sid: 'V1_341154293572698114',
client_id: '341051034975666179',
email: '[redacted]',
email_verified: true,
family_name: '.',
given_name: 'alina alt',
groups: [ 'member' ],
locale: null,
name: 'alina alt',
preferred_username: 'teidesu2',
sub: '301975159768612871',
updated_at: 1736487221
}again, this might be an intended behavior, but i believe this should be explicitly stated in the documentation in that case, as this could be a massive security hole if someone sets up their instance without such assumption
TriliumNext Version
0.99.1
What operating system are you using?
Other Linux
What is your setup?
Server access only
Operating System Version
nixOS 25.04
Error logs
No response