Ensure our code uses subject value as the primary identifier

[ancharb]

Describe the task
Ensure our code uses subject value as the primary identifier when authenticating users in your application.

Purpose
If you are a developer supporting an application that relies on the Keycloak/SSO service for user authentication, please implement the following recommendation on your application and share with your development team for implementation:

We strongly recommend all product teams immediately review and, if needed, update their authentication implementations. Specifically, ensure your code uses subject value as the primary identifier when authenticating users in your application. Adopting subject identifiers significantly enhances security and reduces the risk of similar vulnerabilities in the future.

The subject identifier is called “sub” in the payload. It is unique and never reassigned within the Issuer for the End-User, which is intended to be consumed by the Client.

Acceptance Criteria

• If we don't already, ensure your code uses subject value as the primary identifier when authenticating users in your application (IDIR and BCeID)

Additional context

• For more information on the Subject Identifier, please refer to the documentation (Section 18):
  https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes

If you have any questions or need support with these changes, please don't hesitate to reach out to our team. You can email us at BCGov.SSO@gov.bc.ca or ask a question in the #sso channel on Rocketchat.

[Keegnan]

This might be similar to ticket to #2325