[Openid-specs-ab] Issue #1209: For migration, should support multiple subjects at once in portable identifiers cases (openid/connect)

[david_waite]

New issue 1209: For migration, should support multiple subjects at once in portable identifiers cases
https://bitbucket.org/openid/connect/issues/1209/for-migration-should-support-multiple

David Waite:

A traditional OP which wants to support portable identifiers such as DIDs in the current proposals would send them as the subject, with an extra claim with validation rules. However, 

* This creates more message validation rules and edge case combinations between other potential extensions
* Using sub in this way precludes giving an actual public/pairwise identifier controlled by the OP, meaning you can neither migrate to or from a portable identifier.

For this reason, I propose a new claim `subs` which is an unordered set of subjects objects:

* Each can have an identifier behavior \(subject type\) of `public`, `pairwise` or `transient`
* Each can have a behavioral class, such as being scoped to the OP, a presented JWK or externally resolvable such as a portable identifier
* The type could also be further constrained so that it is specific to the subject processing/validation rules rather than needing to be generic - e.g. we don’t need to have a mechanism for every incarnation of portable identifiers, if it is easier to specify how a `did` class would be validated.
* The definition of a class could also define other JSON properties that are appropriate as part of the subject object, such a portable identifier challenge response.
* OP metadata can list supported `subject_classes` as an object, with keys representing the name of the class and a value of either `true` or defined metadata for indicating the support of that class - e.g. a `did` class could indicate supported DID methods in an object value here.

‌