Arvados

(formally: OIDC support "sub" claim)

We should prefer to use the "sub" claim to identify users (this is the way OIDC is supposed to work), and only identify users by "email" as an optional backup strategy.

This also affects PAM and other login methods.

In Arvados:

• Come up with a custom internal URL scheme to identify users that will be used for identity_url. This is the provider type, host, and subject (username or however the user is uniquely identified).

oidc://

google://

ldap://

pam://

etc

the host part identifies the provider

the path part is the subject from the provider (URL encoded)

put this in the identity_url field of the user

When logging in, it searches for identity_url. If found, but the email address has changed, it updates the email address.

• Add flag to specify if it should use user email as a fallback.

If the fallback is disabled, if the identity_url is not found, the user cannot log in.

If the fallback is enabled, if the identity_url is not found, it searches by email address. If found, the user logs in, and it update identity_url.

• Add an additional flag for "fallback only on empty identity_url"

If the fallback is disabled, if the identity_url is not found, the user cannot log in.

If the fallback is enabled, if the identity_url is not found, it searches by email address. If found and the identity_url is blank, then the user logs in, and it update identity_url.