Provide unique, consistent user identifier for repeated authentication attempts

[Gavinok]

When authenticating with VC-AuthN, there are currently two options for generating a subject_identifier for the authenticated user:

• Using one of the proof-request attributes, if available and configured in the proof-configuration
• Generating a new identifier for each authentication attempt

The first option is only available IF the VCs used to authenticate provide a unique identifier: this would be configured in the proof-configuration to be used as sub, and would be passed along to the relying party that initiated the authentication request.

The issue with this pattern when integrating VC-AuthN into an AIM system such as Keycloak is that, unless a unique user identifier is generated by VC-AuthN, it will not be possible to associate roles to the user account in the AIM system as every authentication attempt will appear as a new user trying to access the system.

Proposed solution:
Rather than generating a new random user identifier for every authentication attempt, VC-AuthN would generate a consistent user identifier by hashing a canonicalized version of the JSON containing the claims obtained from the proof-request.

Possible library to canonicalize JSON: https://pypi.org/project/canonicaljson/

The underlying Pyop library will generate a new value for the sub if non is provided. A couple of places we could look at plugging-in the generation of the subject identifier value:

• here to generate the sub BEFORE pyop takes over to generate the token
• by implementing a new SubjectidentifierFactory matching our criteria and injecting it in the code at the right time (here).

[coveralls]

coverage: 94.413%. remained the same
when pulling 6f4e9a2 on 376-unique-consistent-user-identifier
into ac7c5e7 on main.

[esune]

Looking good, just a question regarding the new models

[esune]

👍🏻