when a value for a user/group id is too long, it should be hashed

[blizzz]

We have a limit for user and group ids of 64 characters. At the moment, if a value from the IdP that is supposed to be used as such, is longer than this limit, there is no handling. The possibly best thing to do is to hash the id in this case and document this behaviour. As of now it would fail to write to the DB.

[blizzz]

With having the prefix in mind, which should not be hashed, we cannot used sha256 or newer functions for hashing, as their are right at 64 bytes length. Also, I don't want to use md5 to reduce risk for collisions. My suggestions would be tiger (tiger192,4) resulting in 48 bytes length. Comes close(st) to sha-256 (cf. https://mojoauth.com/compare-hashing-algorithms/hmac-sha256-vs-tiger/ though speed is not the differentiator here and has no real difference on relatively little data).

What is also necessary is to add a safe guard for the group prefix and soft limit its length as well. Soft-limit, because we cannot be sure that there are not long ones in use already, although this can be highly doubtful. But this way we would not break backwards compatibility and also not introduce a behavorial change on new setups.