Username is not corrected with ocdi user's subject

[stevenscn]

we are integrating Apollo with Keycloak (openid provider), and got below issues:

1. it seems to be not corrected that Apollo use ocdi user's subject as user id , should be some other properties such as email/username... because the subject of ocdi user's subject may be ID in database. it's better that can be configurated by user.
2. if the apollo work on Nginx or with some context path such as apollo, when logout (integrate with openid), it redirect to /logout, should be /apollo/logout.

[nobodyiam]

1. it seems to be not corrected that Apollo use ocdi user's subject as user id , should be some other properties such as email/username... because the subject of ocdi user's subject may be ID in database. it's better that can be configurated by user.

Do you mean oidc? @vdisk-group would you please help to take a look at this?

2. if the apollo work on Nginx or with some context path such as apollo, when logout (integrate with openid), it redirect to /logout, should be /apollo/logout.

Please refer Portal挂载到nginx/slb后如何设置相对路径？

[stevenscn]

@nobodyiam ,

1. Yes, it is oidc.
2. actually, i have setup nginx，and which work well without oidc, just can't work with oidc.

[stevenscn]

@nobodyiam ,

1. Yes, it is oidc.
2. actually, i have setup nginx，and which work well without oidc, just can't work with oidc.

[vdiskg]

1. it seems to be not corrected that Apollo use ocdi user's subject as user id , should be some other properties such as email/username... because the subject of ocdi user's subject may be ID in database. it's better that can be configurated by user.

the column Users.Username is designed as a unique identification. the Implementation of UserService#findByUserId on OidcLocalUserService and SpringSecurityUserService are just like this.

  @Override
  public UserInfo findByUserId(String userId) {
    UserPO userPO = userRepository.findByUsername(userId);
    return userPO == null ? null : userPO.toUserInfo();
  }

so add a new column for human readable username maybe better.
such as #3629

2. if the apollo work on Nginx or with some context path such as apollo, when logout (integrate with openid), it redirect to /logout, should be /apollo/logout.

fix on #3628

[stevenscn]

In my opinion, the email or login name, may be identification at most time, it is better that have user decide which property is used for identification, should keep open for variability.

[vdiskg]

In my opinion, the email or login name, may be identification at most time, it is better that have user decide which property is used for identification, should keep open for variability.

make the email or login name be identification can leads to security vulnerabilities.
the email or login name in oidc provider might be changed. it can break the relationships of oidc user and the local user, witch cause the authority of each application ineffective.and if an ordinary user change it's email or login name to an admin user once owned, the ordinary user may get the privilege of the admin user

[stevenscn]

1. Any properties are seen as identity should be unique and not updatable（need validate email if user still update his email at least）, both in apollo and oidc system
2. Admin should know that which properties can be seen as identity.
3. Suppose your solution is reasonable, but you just ensure that oidc user can login apollo. if an account exists in apollo and oidc system, has same username/email, which should be same account in business and theory, but apollo would consider it is another account with your solution.