Feature #17772

Updated by Peter Amstutz 4 months ago

We should prefer to use the "sub" claim to identify users (this is the way OIDC is _supposed_ to work), and only identify users by "email" as an optional backup strategy.

In Arvados:

* Come up with a custom internal URL scheme to identify users that will be used for identity_url. users. This is the provider type, host, and subject (username or however the user is uniquely identified).

oidc://

google://

ldap://

etc

the host part identifies the provider

the path part is the subject from the provider (URL encoded)

put this in the identity_url field of the user

When logging in, it searches for identity_url. If found, but the email address has changed, it updates the email address.

* Add flag to specify if it should use user email as a fallback.

If the fallback is disabled, if the identity_url is not found, the user cannot log in.

If the fallback is enabled, if the identity_url is not found, it searches by email address. If found, the user logs in, and it update identity_url.

* Add an additional flag for "fallback only on empty identity_url"

If the fallback is disabled, if the identity_url is not found, the user cannot log in.

If the fallback is enabled, if the identity_url is not found, it searches by email address. If found _and_ the identity_url is blank, then the user logs in, and it update identity_url.

Back