given the following scenario: I already have a user created in my webapp, that has an existing and verified email associated, but NO sub claim because he has never logged in via OIDC.
Now the company adds OIDC as Single-Sign-On option for authentication. As stated in the OIDC standard documentation you must never use the email as identifier:
Therefore, other Claims such as email, phone_number, preferred_username, and name MUST NOT be used as unique identifiers for the End-User, whether obtained from the ID Token or the UserInfo Endpoint.
Is there a safe way how to autprovision the existing user in the webapp with the user that has logged in via OIDC? Theoratically the emails would match, but as I understand, I should’nt use the email to match the users.
Is the only option to manually match both accounts by adding the sub claim to the user in my database?