Skip to content

Commit c84adf1

Browse files
committed
style(docs): fix Prettier table formatting for sub examples (LFXV2-2192)
Signed-off-by: Audi Young <audi.mycloud@gmail.com>
1 parent 152cd43 commit c84adf1

2 files changed

Lines changed: 9 additions & 9 deletions

File tree

docs/architecture/backend/authentication.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -84,10 +84,10 @@ Two distinct identifiers travel on the OIDC user (`req.oidc.user`), and choosing
8484

8585
### What each one is
8686

87-
| Claim | Example | Shape | Source claim(s) |
88-
| ------------------------------ | ------------- | ------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
89-
| **`sub`** (Auth0 subject) | `auth0|jdoe` | Provider-prefixed, opaque, globally unique per identity | `user.sub` |
90-
| **`username`** (LFID username) | `jdoe` | Bare LF login handle, no provider prefix | `user['https://sso.linuxfoundation.org/claims/username']`, `user.nickname`, `user.username`, `user.preferred_username` |
87+
| Claim | Example | Shape | Source claim(s) |
88+
| ------------------------------ | ---------------------------- | ------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
89+
| **`sub`** (Auth0 subject) | <code>auth0&#124;jdoe</code> | Provider-prefixed, opaque, globally unique per identity | `user.sub` |
90+
| **`username`** (LFID username) | `jdoe` | Bare LF login handle, no provider prefix | `user['https://sso.linuxfoundation.org/claims/username']`, `user.nickname`, `user.username`, `user.preferred_username` |
9191

9292
- **`sub`** identifies the **Auth0 identity record**. It carries a connection prefix (`auth0|`, `github|`, `samlp|`, …), so the same person can have different `sub` values across connections. Treat it as an opaque token — never parse it, and never display it as if it were a username. Stripping the connection prefix is misleading: the bare value only coincidentally matches the LFID handle today and is not guaranteed to, so a stripped `sub` is not a substitute for `username`. Two call sites still use `getEffectiveSub(req)`: `badges.controller.ts` resolves verified emails via the auth-service (which also accepts a username or email), and `mktg-agents.controller.ts` binds chat sessions to their creator via internal owner tokens (`createSessionOwnerToken`/`verifySessionOwnerToken`). Neither path requires the prefixed `sub` upstream — badges passes it incidentally, and marketing agents uses it only for internal session binding.
9393
- **`username`** identifies the **LF person** by their LFID login handle (bare form, no prefix) and is what most upstream microservices index on going forward. Org role grants (`org-identity.controller.ts`, `org-navigation.service.ts`, `org-role-grants.service.ts`) query `b2b_org_settings` with `tags: ['member:${username}']` where `username` comes from `getEffectiveUsername(req)`. On surveys, `creator_username` holds the bare nickname and `creator_id` is set from the `https://sso.linuxfoundation.org/claims/username` claim.

docs/architecture/backend/impersonation.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -161,11 +161,11 @@ This is the single choke point — every controller and service uses `req.bearer
161161

162162
Many controllers and services read the user's email/username from `req.oidc.user` for server-side filtering (e.g., "get my meetings"). During impersonation, `req.oidc.user` is still the real user. Three helpers resolve the correct identity:
163163

164-
| Helper | Returns | Notes |
165-
| --------------------------- | ------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
166-
| `getEffectiveEmail(req)` | Impersonated email or OIDC email (lowercased) | Email-keyed lookups |
167-
| `getEffectiveUsername(req)` | Impersonated username or OIDC nickname/username/preferred_username | **Preferred** for identity references (LFID username, e.g. `jdoe`) |
168-
| `getEffectiveSub(req)` | Impersonated sub or OIDC sub | **`@deprecated`** — Auth0 sub (prefixed, e.g. `auth0|jdoe`); two incidental callers (badges email lookup, mktg-agents session owner binding) |
164+
| Helper | Returns | Notes |
165+
| --------------------------- | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
166+
| `getEffectiveEmail(req)` | Impersonated email or OIDC email (lowercased) | Email-keyed lookups |
167+
| `getEffectiveUsername(req)` | Impersonated username or OIDC nickname/username/preferred_username | **Preferred** for identity references (LFID username, e.g. `jdoe`) |
168+
| `getEffectiveSub(req)` | Impersonated sub or OIDC sub | **`@deprecated`** — Auth0 sub (prefixed, e.g. <code>auth0&#124;jdoe</code>); two incidental callers (badges email lookup, mktg-agents session owner binding) |
169169

170170
For the full `username` vs `sub` distinction and the `sub``username` migration, see [`authentication.md`](./authentication.md#-identity-claims-username-vs-sub).
171171

0 commit comments

Comments
 (0)