[Openid-specs-ab] [openid/connect] Messages - Add preferred_username, add warning to email. (issue #603)

Nat Sakimura issues-reply at bitbucket.org
Thu Jun 21 15:22:31 UTC 2012 

--- you can reply above this line ---

New issue 603: Messages - Add preferred_username, add warning to email. 
https://bitbucket.org/openid/connect/issue/603/messages-add-preferred_username-add

Nat Sakimura:

Add a new claim, "preferred_username". 

{{{
preferred_username     string    Shorthand name that the End-User wishes to be referred to at the RP, such as  
                                     "janedoe" or "j.doe". This value MAY
                                     be any valid JSON string including special characters such as "@", "/", or whitespace. This 
                                     value MUST NOT
                                     be relied upon to be unique by the RP. (See § 2.3.2.2)
email             string    The End-User's preferred email address. This value MUST NOT be relied upon to be unique by 
                                  the RP. (See § 2.3.2.2)
}}}

== 2.3.2.2 Claim Stability and Uniqueness

The user_id claim is the only claim which a client can rely upon to be stable, since user_id claim MUST be locally unique and never reassigned within the Issuer for a particular End-User as described in § 2.1.1. Therefore, the only guaranteed unique identifier for a given End-User is a combination of the Issuer's identifier and the user_id claim, and other fields such as preferred_username and email MUST NOT be used as unique identifiers for a given End-User.

All other claims carry no such guarantees across different issuers in terms of stability over time or uniqueness across users, and issuers are permitted to apply local restrictions and policies. For instance, an Issuer MAY re-use a given preferred_username or email address claim across different different End-Users at different points in time, and the claimed preferred_username or email address for a given End-User MAY change over time.



I believe that this language allows IdPs that want to do so to tie preferred_username directly and uniquely to user_id (since some will), but it doesn't force them to and it cautions RPs away from relying on that across IdPs.

Responsible: ve7jtb
--

This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.

More information about the Openid-specs-ab mailing list