OpenID connect authentication in the Client Service relies on an identity service that conforms to the OpenID Connect standards.
A lot of data within the Client Service is referenced to users, which represent (usually natural) persons within HsM. Users can be created in the Client Service without authentication information, i.e., the principals managed by the identity service must be matched to users managed by the Client Service.
In OpenID, only the sub claim in a JSON Web Token (JWT) is guaranteed to uniquely identify a principal. When the Client Service gets a JWT it will first check if there is a user in the Client Service that has matching sub, if so a match is found. If there is no user with matching sub the Client Service will try to find a user with a matching email address. If such a match is found the sub from the JWT will be stored with that user.
Every time the Client Service receives a JWT it will perform this identity matching.
Note: Contrary to OpenID, HsM considers the email address of a user as a unique identifier, i.e. no two users in HsM can have the same email address.
