Hi,
the plugin works well for years, but I stumbled upon my first SSO user having a username ending in an underscore, e.g. a disallowed username.
That user cannot login to Discourse. I think OIDC then tries to create an account with a username just without the underscore. Which is fine, but if that account already exists (username foo exists, username foo_ cannot login because “Account already exists” error), there seems to be an impersonation (attempt) in some part:
The username foo gets an email that they tried to create an account or tried to change the email of an account but that email was already taken.
This is during first-login, e.g. account-creation via SSO, for foo_. So foo_ tries to create an account as foobut cant because the name is already taken. But why does the original foo now get a email-notification for that?
You just tried to create an account at \<discourse\>, or tried to change the email of an account to \<email of foo\>
Is there a solution for the problem of having username and username_ in OIDC, like configuring the way discourse handles invalid usernames during auth?