eppn and subjectID for linked accounts

OpenConext / OpenConext-myconext

A (guest) IdP for OpenConext

https://eduid.nl/

5 stars 8 forks source link

eppn and subjectID for linked accounts #628

Closed phavekes closed 1 month ago

phavekes commented 1 month ago

For linked accounts, a user can only have a subjectID (eg Leidenuniv). SubjectID is more reliable than eppn, so we should prefer this.

A linked account should have an eppn, or subjectID.
If both are present, the subjectId is prefered
When adding a linked account, also validate the uniqueness of the subjectId

phavekes commented 1 month ago

5 gebruikers hebben wel een linked account, maar geen subjectId of eppn: db.users.find({ "linkedAccounts.schacHomeOrganization": { $exists: true, $ne: null, $ne: "" }, "linkedAccounts.eduPersonPrincipalName": { $exists: false }, "linkedAccounts.subjectId": { $exists: false } }).count();

phavekes commented 1 month ago

Om deze accounts te ont-linken:

db.users.updateMany(
    {
        "linkedAccounts.schacHomeOrganization": { $exists: true, $ne: null, $ne: "" },
        "linkedAccounts.eduPersonPrincipalName": { $exists: false },
        "linkedAccounts.subjectId": { $exists: false }
    },
    {
        $set: { "linkedAccounts": [] }  // Maak het linkedAccounts object een lege array
    }
)

Tyskai commented 2 weeks ago

Updated the test database! 2 users affected. Did not do acc or prod (yet)!