@@ -430,7 +430,7 @@ pub(crate) async fn get(
430430 . with_code ( "User exists" )
431431 . with_description ( format ! (
432432 r"Upstream account provider returned {localpart:?} as username,
433- which is not linked to that upstream account"
433+ which is not linked to that upstream account"
434434 ) )
435435 . with_language ( & locale) ;
436436
@@ -444,23 +444,32 @@ pub(crate) async fn get(
444444 . evaluate_upstream_oauth_register ( & localpart, None )
445445 . await ?;
446446
447- if !res. valid ( ) {
447+ if res. valid ( ) {
448+ // The username passes the policy check, add it to the context
449+ ctx. with_localpart (
450+ localpart,
451+ provider. claims_imports . localpart . is_forced ( ) ,
452+ )
453+ } else if provider. claims_imports . localpart . is_forced ( ) {
454+ // If the username claim is 'forced' but doesn't pass the policy check,
455+ // we display an error message.
448456 // TODO: translate
449457 let ctx = ErrorContext :: new ( )
450458 . with_code ( "Policy error" )
451459 . with_description ( format ! (
452460 r"Upstream account provider returned {localpart:?} as username,
453- which does not pass the policy check: {res}"
461+ which does not pass the policy check: {res}"
454462 ) )
455463 . with_language ( & locale) ;
456464
457465 return Ok ( (
458466 cookie_jar,
459467 Html ( templates. render_error ( & ctx) ?) . into_response ( ) ,
460468 ) ) ;
469+ } else {
470+ // Else, we just ignore it when it doesn't pass the policy check.
471+ ctx
461472 }
462-
463- ctx. with_localpart ( localpart, provider. claims_imports . localpart . is_forced ( ) )
464473 }
465474 None => ctx,
466475 }
0 commit comments