First I had issues with the external_id field on SSO, because they were all initially strings of length 16, and later I stored 24chars strings, but it completely messed up, you could get logged under a different user, it seems it cropped the external_id length, but that was hard to debug.
So I make sure to keep external_id with the same length, it’s not really practical, why not using a TEXT column type for it?
And my question is also, can I update the external_id of existing users, after doing a DB migration on my external site that provides SSO? and allow those users to keep their existing discourse profile when they’ll log in
The easiest way might be to simply delete all external IDs – when your users try to sign in again, Discourse will use the email address to find the right account. (This won’t work if the users change their email address in the meantime!)
The external_id saved to the single_sign_on_records table. You can delete all records from this table by entering the rails console and running
SingleSignOnRecord.destroy_all
As long as you are not setting require_activation to true in the SSO payload, after deleting your site’s SSO records, new SSO records will be created for your users based on their email address when they login with SSO.