# Reflecting FAS/ACO user email change

Openshift was initially configured to use IdP/Oauth but creating user with `preferred_email` as main login ID.
That means that when a user updates/changes its email address at FAS/ACO side, he loses his rights in openshift and deployed applications.

We have a plan to discuss massively reflect a change to get back to `user` instead of `email` and process all groups/projects but for the time being, if someone in such situation is creating a ticket, here is a simple way to fix it directly in openshift.

Let's assume that user is `foo` and his previous email `foo@bar.com` but he has a new email address now in FAS (which you can query https://fasjson.fedoraproject.org to find).

Basically we have to :

  * remove user from openshift
  * delete cached openshift identify for that user

Login on the node that is in the `ocp-ci-management` ansible group , become `ocpadm` user and run the following (cli and eventually ansible playbook to come later) :


```
user="foo"
email="foo@bar.com"

[ocpadm@<node> ~]$ oc get identities | grep "${email}"
CentOS_and_Fedora_account:f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f   CentOS_and_Fedora_account   f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f 

# Now that we have identity, just delete it
[ocpadm@<node> ~]$ oc delete identity CentOS_and_Fedora_account:f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f
identity.user.openshift.io "CentOS_and_Fedora_account:f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f" deleted

# Let's now delete user
[ocpadm@<node> ~]$ oc delete user ${user} 

```

We can now ask the user to login again and his new user will be created and linked with FAS/ACO.
Don't forget to reflect his new email address for his projects and update projecs (like you'd do to create it, so push to git and `oc apply`)