Introduced by #3314. OIDC accounts are currently linked by a verified email address from the provider. If a user's upstream email address changes, this would cause a new user to be created in Coder instead of associating it.

The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User, since the sub Claim MUST be locally unique and never reassigned within the Issuer for a particular End-User, as described in Section 2. Therefore, the only guaranteed unique identifier for a given End-User is the combination of the iss Claim and the sub Claim.

See: https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability

Accounts should be linked by a unique identifier to the OIDC provider, not the email address. This can also take effect for OAuth2 authentication since each method (currently just GitHub) queries the upstream service API to get information (which would include a unique user ID).

The simplest solution seems to be a table of account links with a unique index of:

CREATE TABLE user_auth (
  user_id UUID NOT NULL REFERENCES users (id),
  login_type login_type NOT NULL,
  linked_id text NOT NULL,
  UNIQUE(user_id, login_type)
);

I don't see a reason to remove a link right now, but the implementor may discover one.