[Openid-specs-ab] Updates to aud_sub / account resolution PR

Tue Aug 26 16:00:16 UTC 2025

Hey

Karl and I synced up recently and we have made a number of changes to the
PR.

Mike: We would like to discuss at the next meeting, if time allows.

https://github.com/openid/openid-provider-commands/pull/28

There are a number of editorial changes that make the PR pretty messy to
look at. Here is a clean copy to read:

https://openid.github.io/openid-provider-commands/aud_sub.html

Outstanding items once we agree on the normative changes:

- move all claims / properties into a single section at the top so it is
clear what all the bits are
- clarify that `aud_sub` is optional in all Account Commands and add
examples with it.

*Changes*

Editorial:
- added diagram for callback flow
- replaced Command Usage Overview with Command Use Cases
- renamed `unauthorize` command to `invalidate` -- as this is the OP and
not an AS
- provided more clarity on what `invalidate` does and made it consistent
- fixed RP metadata response for roles

Normative:
- added `aud_sub` as a claim the RP could return in audit commands and the
OP would then use in Account Commands to identity the account

- added `aud_sub_required` - metadata from RP indicating that the OP MUST
provide `aud_sub` in Account Commands

- added `authentication_provider` claim that represents which party or
parties can authenticate the user:

- **rp**: The Account can only be authenticated directly by the RP (e.g.,
username/password, RP-managed MFA)

- **op**: The Account can only be authenticated by the requesting OP tenant
- **op_migration**: The Account can be authenticated by either the RP or
the OP tenant
- **external**: The Account is authenticated by a different external
authentication provider
- **unknown**: The RP does not know, or does not want to share who the
authentication provider is

- added `migrate` command for an OP to tell an RP that the OP will become
the authentication_provider. The op_migration state can be used during
migration
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250826/9ed3ec57/attachment.htm>