External user expiration and deterministic sub computation

[tawaren]

I have a Person Authentication script that supports inbound oidc's similar to what is described in the Janssen Recipes/Inbound OIDC documentation. When an external user is encountered for the first time a new user is created locally. However unlike the example in documentation I have an expiration mechanism that deletes the local user if he does not login for a certain time. If after that the user logs in again the local user is recreated with the same userId as before.

I noticed, that a user after it was deleted and recreated has a different pairwise subject identifier (sub), even if the sub computation is set to deterministic. The public subject identifiers stay the same if openidSubAttribute is set accordingly. I understand, that from janssens view it is a new user. I tracked the source of this behaviour to PairwiseIdentifierService.findPairWiseIdentifier called by SectorIdentifierService.getSub. In that function the sub is derived from a localAccountId which is either the userInum or the userInum + clientId.

My question now is if their is a security or other reason why the inum is used in the localAccountId. Would whatever is configured for openidSubAttribute work as well? Because if it does using the openidSubAttribute in the localAccountId would make it more consistent with the public subject identifier method in generall and in my case ensures sub stays the same even for recreated external users.

[nynymike]

@yuriyz can you take a look? Can we make the pairwise use a property, rather then the inum? Inum would not be the same as Markus points out.

[yuriyz]

Yes, makes perfect sense. I've created ticket to add improvement #9696