Idea #15558
Updated by Peter Amstutz over 4 years ago
Goal: identify users by email address as a fallback when identity_url is different (due to a different upstream login) or user changes their primary email (assumes the old email is listed as an alternate).
h2. SSO
When providing callback response to API, include all upstream-provided email addresses as alternates in addition to the primary.
h2. Login
When logging in, if the identity_url doesn't match a user, look up user by email address, filtering out remote users:
# try primary address first
# then try alternate addresses
If more than one address matches: if there is exactly one match without a redirect, use that. If all matches have a redirect: if all redirect to the same account (or there is just one match), use that. If it is still ambiguous which account to use, login fails.
Once the primary user account has been selected, update the identity_url, email address, and name based on the SSO callback.
Additionally, because it is being used for identity, the 'email' column should no longer be user editable.
Database changes: add uniqueness constraint to identity_url (it is already de facto unique, but it ought to be enforced.)