sdesen
commented
3 months ago sub - The "User ID at the IdP" can be changed to "subject identifier" recognized by AS
Closed aaronpk closed 3 months ago
sdesen
commented
3 months ago sub - The "User ID at the IdP" can be changed to "subject identifier" recognized by AS
randomstuff
commented
3 months ago sub - The User ID at the IdP can be cahnged to subject identifier recognized by AS
It might be worth discussing how the IdP could do this mapping.
sdesen
commented
3 months ago I think this is an implementation detail, but because the IdP is used by both RS and Client, it should understand the sub claims that the Resource Server's AS expects.
aaronpk
commented
3 months ago In typical SSO, an enterprise IdP might already send different subject identifiers for the same user to different apps that are signing in. This note is just to add a sentence that describes this, and also to make it clear that we are not trying to change this behavior to require that all user IDs are identical across both apps in this flow.
aaronpk
commented
3 months ago This was updated here and now no longer makes it sound like the sub value is the same across everything: https://github.com/aaronpk/draft-parecki-oauth-identity-assertion-authz-grant/commit/66a511fbd7695e214433ff4f5c0ec7b87c6af461
The subject identifier between apps doesn't need to be the same. Mention how the IdP can use a different subject identifier targeted at the AS.