Link Credentials to Keychains

[AishaHassen]

Is your feature request related to a problem? Please describe.

The current keychain implementation cannot uniquely identify credentials when multiple credentials share the same external ID within a project. This prevents us from building multi-tenant workflows where the same identifier (e.g., a facility code) needs to authenticate against different systems using different credentials.

For example, if facility_code: "F001" is used as an external ID for both:

• System A credentials (e.g., OpenMRS instance)
• System B credentials (e.g., DHIS2 instance)

A job using keychain lookup with external ID "F001" cannot determine which credential to use, causing the workflow to fail. This limitation blocks our ability to implement dynamic credential selection for multi-system integrations where the same organizational identifier maps to different authentication contexts.

Tell us about your idea - describe the solution you'd like.

Link credentials to keychains at the time of credential creation, establishing an explicit relationship between each credential and its intended keychain.

Current behavior:
Keychains select credentials at runtime using: uuid:{project + external_id}

• This fails when multiple credentials share the same external ID
• The decoupled relationship creates ambiguity in credential resolution

Proposed behavior:
Keychains select credentials at runtime using: uuid:{project + keychain + external_id}

• Each credential is explicitly associated with a specific keychain during creation
• The keychain acts as a namespace, allowing the same external ID to exist across multiple credentials without conflict
• Credential selection becomes deterministic: "For external ID 'F001' in keychain 'SystemA', use credential X"

This removes interpretation from credential selection—users explicitly define which credentials belong to which keychain, eliminating any ambiguity when dealing with authentication.

Link to diagrams

Additional context

We encounter this issue in multi-tenant healthcare implementations where a single facility code needs to authenticate against multiple systems. For instance:

• Facility "F001" needs credentials to sync data to OpenMRS (System A)
• The same facility "F001" needs different credentials to sync data to DHIS2 (System B)

Currently, we cannot implement this pattern using keychains because both credentials would have external ID "F001", making them indistinguishable to the keychain lookup mechanism.

Frequency: This affects multi-system integration projects we build where external identifiers overlap across different platforms.

[taylordowns2000]

noting that if we implmented non-unique external IDs (as suggested above) we would not have to fix #4170