Matching OIDC and miniapp users

[notpushkin]

Problem

For some reason, sub is an opaque string in the OIDC flow. However, the proper user ID is returned in the id_token:

{
  "iss": "https://oauth.telegram.org",
  "aud": "123456789",
  "sub": "1234123412341234123",
  "iat": 1700000000,
  "exp": 1700003600,
  "id": 987654321,
  "name": "John Doe",
  "preferred_username": "johndoe",
  "picture": "https://cdn4.telesco.pe/file...",
  "phone_number": "971577777777"
}

This would allow us to match users from OIDC with other flows.

Proposed Solution

Store the id claim as telegramId on the user table. If a user row exists with this telegramId already, use it (this might not work with the generic OAuth2 plugin though).

Alternatives Considered

Storing the same fake email with the real user ID in the miniapp and the OIDC flows seems to work fine:

telegram({
  botToken: env.TELEGRAM_BOT_TOKEN,
  botUsername: env.TELEGRAM_BOT_USERNAME,
  loginWidget: false,
  miniApp: {
    enabled: true,
    validateInitData: true,
    allowAutoSignin: true,
    mapMiniAppDataToUser: (data) => ({
      name: data.first_name,
      image: data.photo_url,
      email: `${data.id}@telegram.invalid`,
      emailVerified: false,
    }),
  },
  oidc: {
    enabled: true,
    clientSecret: env.TELEGRAM_CLIENT_SECRET,
    mapOIDCProfileToUser: (claims) => ({
      name: claims.name,
      image: claims.picture,
      email: `${(claims as any).id}@telegram.invalid`,
      emailVerified: false,
      telegramId: (claims as any).id,
    }),
  },
})

OIDC flow looks for the email, and the miniapp flow looks for the telegramId, so it works whether the user has logged in with OIDC or through the miniapp first. That however means the user can’t change their email, or the OIDC flow will stop recognizing them.

Additional Context

No response