Find user by nameOrId has undocumented implications

[butonic]

For the multitenancy PR we made graph able to find users by name or id: #1274 (review)

I am worried that we start to cement username to be unique which it is not. The OpenID Connect spec explicitly states that only sub+iss are unique. In a multi tenant deployment, regardless how many IdPs are used, there will be users with the same username, which is why the claim is called preferred_username.

The graph api allows using the user id or the userPrincipalName, which is a scoped username as it has the format <samaccountname>@<upnsuffix>. The upnsuffix should match the domain and often leads to upn and mailaddress to be the same.

We should at least document that the name parameter for these api calls MUST be unique over all users. I would prefer if we change the name of the variable to be mailOrID or maybe upnOrID.

[butonic]

cc @dragonchaser @aduffeck @rhafer

[dragonchaser]

I'd prefer upnOrID instead of mailOrID there might be multiple accounts tied to the same e-mail address and we run into the same issue again.

[rhafer]

For the multitenancy PR we made graph able to find users by name or id: #1274 (review)

Just for the sake of correctness. This is nothing new. We had that from the beginning. (I'm not judging whether that was a good choice)

In case there are multiple users with the same username the current implemenation will throw an error. (And NOT return any of the matched users)

I am worried that we start to cement username to be unique which it is not. The OpenID Connect spec explicitly states that only sub+iss are unique. In a multi tenant deployment, regardless how many IdPs are used, there will be users with the same username, which is why the claim is called preferred_username.

The graph api allows using the user id or the userPrincipalName, which is a scoped username as it has the format <samaccountname>@<upnsuffix>. The upnsuffix should match the domain and often leads to upn and mailaddress to be the same.

We should at least document that the name parameter for these api calls MUST be unique over all users. I would prefer if we change the name of the variable to be mailOrID or maybe upnOrID.

We simply don't have a UPN attribute currently. And just making one up (from whatever) will lead to the same issues as with the username. (e.g. Mail addresses don't need to be unique in opencloud currently neither is a user required to have a mail address set)

If there really is an issue with allowing queries like graph/v1.0/<username> which should probably just get rid of that feature and allow only queries by id. If users need to be looked up by name there is $search or $filter.