Feature #17772
Updated by Peter Amstutz over 2 years ago
(formally: OIDC support "sub" claim) We should prefer to use the "sub" claim to identify users (this is the way OIDC is _supposed_ to work), and only identify users by "email" as an optional backup strategy. This also affects PAM and other login methods. In Arvados: * Come up with a custom internal URL scheme to identify users that will be used for identity_url. This is the provider type, host, and subject (username or however the user is uniquely identified). oidc:// google:// ldap:// pam:// etc the host part identifies the provider the path part is the subject from the provider (URL encoded) put this in the identity_url field of the user When logging in, it searches for identity_url. If found, but the email address has changed, it updates the email address. * Add flag to specify if it should use user email as a fallback. If the fallback is disabled, if the identity_url is not found, the user cannot log in. If the fallback is enabled, if the identity_url is not found, it searches by email address. If found, the user logs in, and it update identity_url. * Add an additional flag for "fallback only on empty identity_url" If the fallback is disabled, if the identity_url is not found, the user cannot log in. If the fallback is enabled, if the identity_url is not found, it searches by email address. If found _and_ the identity_url is blank, then the user logs in, and it update identity_url.