How to safely autoprovision an already existing user with an associated OIDC account?


given the following scenario: I already have a user created in my webapp, that has an existing and verified email associated, but NO sub claim because he has never logged in via OIDC.
Now the company adds OIDC as Single-Sign-On option for authentication. As stated in the OIDC standard documentation you must never use the email as identifier:

Therefore, other Claims such as email, phone_number, preferred_username, and name MUST NOT be used as unique identifiers for the End-User, whether obtained from the ID Token or the UserInfo Endpoint.

Is there a safe way how to autprovision the existing user in the webapp with the user that has logged in via OIDC? Theoratically the emails would match, but as I understand, I should’nt use the email to match the users.

Is the only option to manually match both accounts by adding the sub claim to the user in my database?

Hi, Okta has login(a profile attribute in user profile) as an unique id for all its users so that can work as an identifier. This login field is the value returned for the sub claim. So theoretically the matching of emails as you mentioned can work in this scenario.