With the move from a private Keycloak ID provider to Red Hat SSO, we find that several user UUID values (from the old and new ID provider) are attempting to claim the same username. The current user "cache" doesn't allow for this, nor in general does it seem we really want to be casually mapping multiple "users" across ID providers into the same "Pbench identity" just because they share a username.
Instead, diagnose this problem with an authorization failure and an explicit error message instead of letting the Auth module hide the error and silently treat the client connection as unauthenticated.
Note that we can manually fix this by renaming the old user entry in SQL, which will allow the server to recognize the new SSO login. We can then reassign any existing datasets from the old user to the new user.
PBENCH-1198
With the move from a private Keycloak ID provider to Red Hat SSO, we find that several user UUID values (from the old and new ID provider) are attempting to claim the same username. The current user "cache" doesn't allow for this, nor in general does it seem we really want to be casually mapping multiple "users" across ID providers into the same "Pbench identity" just because they share a username.
Instead, diagnose this problem with an authorization failure and an explicit error message instead of letting the Auth module hide the error and silently treat the client connection as unauthenticated.
Note that we can manually fix this by renaming the old user entry in SQL, which will allow the server to recognize the new SSO login. We can then reassign any existing datasets from the old user to the new user.