[GoToSocial] Handling OIDC-native username conflicts

In some cases, such as when a server has been switched to use OIDC after already using default settings for a while, there may be an overlap between usernames returned from OIDC, and usernames that already existed in the database.

For example, let’s say that someone with username gordonbrownfan and email address gordon_is_best@example.org has an account on a GtS instance that uses the default sign-in flow.

That GtS instance then switches to using OIDC login. However, in the OIDC’s storage there’s also a user with username gordonbrownfan . If this user has the email address gordon_is_best@example.org , then GoToSocial will assume that the two users are the same and just log gordonbrownfan in as though nothing had changed. No problem!

However, if the user in the OIDC storage has a different email address, GoToSocial will try to create a new user and account for this person.

Since the username gordonbrownfan is already taken, GoToSocial will try gordonbrownfan1 . If this is also taken, it will try gordonbrownfan2 , and so on, until it finds a username that’s not yet taken. It will then sign the requester in as that user/account, distinct from the original gordonbrownfan .

I find it to be simple with no possibility of failures :open_mouth:

1 Like

I think Gitlab has a similar name mechanism. I don’t use Gitlab really, don’t want to sign up, but occassionally log in via my existing Github account to gitlab.com and some others. Somehow, and I didn’t notice this at first, gitlab.com started signing me in as ‘aschrijver1’. How that happened idk, maybe I fiddled in Github mail settings but not that I can remember.

The result is a confusing situation for other gitlab users in that both ‘aschrijver’ and ‘aschrijver1’ accounts are me. Also should I value the contrib on those I’d not happy by this account split.


Agreed, this works, but the result is less than ideal. The alternative is to use usernames with source hostname included(for instance, username@exmaple.org), but that will leak information about the SSO you are using and also make username mentions less ergonomic.

1 Like