How to safely autoprovision an already existing user with an associated OIDC account?

Derison · January 22, 2024, 11:20am

Hey,

given the following scenario: I already have a user created in my webapp, that has an existing and verified email associated, but NO sub claim because he has never logged in via OIDC.
Now the company adds OIDC as Single-Sign-On option for authentication. As stated in the OIDC standard documentation you must never use the email as identifier:

Therefore, other Claims such as email, phone_number, preferred_username, and name MUST NOT be used as unique identifiers for the End-User, whether obtained from the ID Token or the UserInfo Endpoint.

Is there a safe way how to autprovision the existing user in the webapp with the user that has logged in via OIDC? Theoratically the emails would match, but as I understand, I should’nt use the email to match the users.

Is the only option to manually match both accounts by adding the sub claim to the user in my database?

vk-giri · February 2, 2024, 7:11pm

Hi, Okta has login(a profile attribute in user profile) as an unique id for all its users so that can work as an identifier. This login field is the value returned for the sub claim. So theoretically the matching of emails as you mentioned can work in this scenario.

andrea · March 3, 2024, 7:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Post		Replies	Views
OIDC and email_verified claim through OIN OAuth/OIDC	2	232	July 26, 2024
OIDC id token claim to identify tenant OAuth/OIDC	3	1299	May 12, 2024
Can I trust the access token sub claim for identifying user? Questions	6	11896	February 4, 2022
Multiple attributes for user identification + API + OIDC tokens OAuth/OIDC	1	2705	February 12, 2024
Creating a new OIDC app to be published in OIN OIN Submissions	2	3265	January 12, 2022

How to safely autoprovision an already existing user with an associated OIDC account?

Related topics