From 43c65786ebd39bbab5b53200d3d15745228edd1e Mon Sep 17 00:00:00 2001
From: Tulir Asokan <tulir@maunium.net>
Date: Tue, 6 Jan 2026 19:23:19 +0200
Subject: [PATCH] Specify that the /openid/userinfo return value must be
 validated (#2288)

---
 changelogs/server_server/newsfragments/2288.clarification | 1 +
 data/api/server-server/openid.yaml                        | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/server_server/newsfragments/2288.clarification

diff --git a/changelogs/server_server/newsfragments/2288.clarification b/changelogs/server_server/newsfragments/2288.clarification
new file mode 100644
index 00000000..3558f255
--- /dev/null
+++ b/changelogs/server_server/newsfragments/2288.clarification
@@ -0,0 +1 @@
+Specify that callers of `/_matrix/federation/v1/openid/userinfo` must validate the returned user ID.
diff --git a/data/api/server-server/openid.yaml b/data/api/server-server/openid.yaml
index ce7d8866..22b7f941 100644
--- a/data/api/server-server/openid.yaml
+++ b/data/api/server-server/openid.yaml
@@ -43,7 +43,12 @@ paths:
                 properties:
                   sub:
                     type: string
-                    description: The Matrix User ID who generated the token.
+                    description: |
+                      The Matrix User ID who generated the token.
+
+                      The caller MUST validate that the returned user ID is on the server they
+                      called (i.e. if you make a request to example.com and it returns
+                      `@alice:matrix.org`, the result is invalid).
                     example: "@alice:example.com"
                 required:
                   - sub