Advice for Multiple Credentials to a Single User

[baxterjo]

I've seen quite a few authentication frameworks that allow the use of multiple credentials to a single user. AWS IAM comes to mind, you can generate many API key credentials that all resolve to a single user.

This framework appears to mostly support that. But when implementing the AuthnBackend trait get_user() method. I am expected to provide a user that has a session_auth_hash().

To me that indicates that this framework expects user:credential to be 1:1, because if you are not given a credential when looking up a user then you need a way to deterministically provide one.

Is that a correct conclusion? Or am I missing something?

[baxterjo]

Alternatively, providing a little more insight on what the session_auth_hash() method is used for might be more helpful.

If it is a benign getter function that is meant for users to put in audit logs, then I don't really care if I session_auth_hash() is non-deterministic.

If it is used internally by axum-login then that is a different story.