[BUG] Users added by username in GenericOIDC auth provider do not have access to resources

[joesims22]

Rancher Server Setup

• Rancher version: v2.9-head 3a6de11e
• Installation option (Docker install/Helm Chart):
  • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc): docker

Information about the Cluster

• Kubernetes version: v1.30.2+k3s2
• Cluster Type (Local/Downstream): downstream

Describe the bug When GenericOIDC(keycloak) auth provider is enabled, auth provider users that are added to a cluster/project by their username are not able to access resources upon logging in. Only if a user is added by their userID will they have access to resources upon logging in.

To Reproduce

1. Install rancher v2.9-head
2. Create a downstream cluster
3. Enable GenericOIDC using keycloak
4. In the downstream cluster add testuser2 as a Cluster Owner
5. Login as testuser2 and observe the downstream cluster is not listed

Expected Result Users should be able to access resources when added by their username.

[crobby]

By default with keycloak as well as other oidc providers, the "sub" claim (which we use to form our principal ID) is populated with the ID of the user. It is possible to map a different value to the sub claim to make for a more user-friendly UX, but you do need to be careful to set it to something that is guaranteed to be unique (which username should be) and ideally immutable because if it changes and the user logs in, it will be seen as a new Rancher user.