Closed aaronpk closed 3 months ago
sub - The "User ID at the IdP" can be changed to "subject identifier" recognized by AS
sub - The User ID at the IdP can be cahnged to subject identifier recognized by AS
It might be worth discussing how the IdP could do this mapping.
I think this is an implementation detail, but because the IdP is used by both RS and Client, it should understand the sub claims that the Resource Server's AS expects.
In typical SSO, an enterprise IdP might already send different subject identifiers for the same user to different apps that are signing in. This note is just to add a sentence that describes this, and also to make it clear that we are not trying to change this behavior to require that all user IDs are identical across both apps in this flow.
This was updated here and now no longer makes it sound like the sub
value is the same across everything: https://github.com/aaronpk/draft-parecki-oauth-identity-assertion-authz-grant/commit/66a511fbd7695e214433ff4f5c0ec7b87c6af461
The subject identifier between apps doesn't need to be the same. Mention how the IdP can use a different subject identifier targeted at the AS.