If I (legitimately) create a user in my authelia instance, and then update the email address to be that of a misago administrator, the auth login in misago maps that new user to afmin user with the same email address. This is very not good!
This is by design. You are delegating verification to identity provider, making it it's job to verify the e-mail addresses.
This is authoritative in the auth single source of truth (authelia) and cannot be changed (unlike the email address).
Username is weak as authoritative source of truth, simply because its much more commonly changeable than e-mails are, and comes with less verification than e-mails do. You should setup Authelia to verify user e-mails when they change them.
To elaborate a little on this, if user signs in to Misago through OAuth 2, Misago pulls their ID from the user JSON and does either:
- if this ID is associated with existing user account, User is signed to this account
- if this ID has no existing user account associated with it, it looks up user with e-mail next.
- If user account with e-mail exists, ID is associated with this user. If not, new user account is created.
Please note that enabling OAuth 2 disables Misago registration and e-mail change features. So only users with accounts registered before OAuth 2 was enabled will be "effected".