On log-in of OIDC users, an entry in the identities table gets created. Currently, there is no way to remove those entries. This might be problematic if the user in the external identity provider was removed and an administrator wants to clean up the entries in LXD.
Suggestion is to add an endpoint that allows to remove OIDC identities.
There are number of options for removing OIDC identities:
Add a task to clean up OIDC identities that have not been seen for a configurable period and are not members of a LXD group.
Add an endpoint so that an administrator can remove them manually. If they are still present at the IdP level this will have the effect of revoking all LXD group membership, but it will not have any effect if permissions are configured using IdP group mappings.
Use SCIM as suggested by @mseralessandri. We should be careful to add a backup for this as it may not be supported by all IdPs.
Required information
Issue description
On log-in of OIDC users, an entry in the identities table gets created. Currently, there is no way to remove those entries. This might be problematic if the user in the external identity provider was removed and an administrator wants to clean up the entries in LXD.
Suggestion is to add an endpoint that allows to remove OIDC identities.
Steps to reproduce