There appears to be a bug in the Users REST API regarding the externalId. For users that are created without an externalId, you can retrieve a User object by passing in the username as the externalId (i.e., 'externalId:someUsername') to the 'getUser' endpoint.
That seems all fine and good, up until you inspect the object that is retrieved. The User object retrieved will have a null value for the externalId field.
There is a contradiction here. You should either not be able to retrieve a user by the externalId, if that value does not exist, or the externalId field should reflect the externalId value that was passed in to retrieve the User object.
I performed this with Q2 2018, CU1; I'm not sure if this has been changed in a newer version.