From 09c8b7754b2cda3c1a538b52c8f74da127e7c65b Mon Sep 17 00:00:00 2001
From: Val Alexander <bunsthedev@gmail.com>
Date: Mon, 15 Jun 2026 08:52:05 -0500
Subject: [PATCH] fix(auth): do not trust custom OIDC for account linking

---
 apps/web/src/lib/server/auth/index.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/web/src/lib/server/auth/index.ts b/apps/web/src/lib/server/auth/index.ts
index 88c3c2bc5..b85f04e3b 100644
--- a/apps/web/src/lib/server/auth/index.ts
+++ b/apps/web/src/lib/server/auth/index.ts
@@ -251,7 +251,9 @@ async function createAuth() {
         ...(creds.tokenUrl && { tokenUrl: creds.tokenUrl }),
         scopes: scopeStr.split(/\s+/).filter(Boolean),
       })
-      trustedProviders.push(provider.id)
+      // Do not trust arbitrary custom OIDC providers for automatic
+      // account linking. Built-in providers and dedicated workspace
+      // SSO are trusted separately.
     } else {
       // Built-in social providers
       const providerConfig: Record<string, string> = {