pulsejet
commented
8 months ago Sounds good. This needs to be configurable since it potentially opens up attack vectors. If the IdP has a user azmeuk, then I can create another user àzmeuk in the IdP and pretend to be azmeuk in Nextcloud.
A possible solution would be to suffix the username with some kind of hash of the original, whenever any transformation is done.
Nextcloud does not allow accentuated or special character in the usernames: https://github.com/nextcloud/server/issues/21313
However sometimes nextcloud-oidc-login is plugged to a IDP where users already have accentuated characters.
I suggest that nextcloud-oidc-login automatically fixes unallowed characters in usernames: replacing accents with unaccented characters and removing other unallowed characters.