<div dir="ltr">
I support the adoption of this specification for one single reason: it lets us agree on what goes in an ID Token and in an OP Command to distinguish one OP tenant from another. This scenario is mostly applicable and needed in one particular context - when an OP “uses” the same issuer for all its tenants. There are many multi-tenant OPs that aren't "affected" by that, in other words, their tenants have their own issuers (this architecture should be encouraged as a best practice in my view).<br><br>A few other comments<br><br><div>My recommendation would be to be flexible enough to express not only a single OP tenant, but also a subtenant in it when it's needed, and so forth. The tenant claim as a JSON string with an opaque value in it alone might not be a good fit for this. I think it's safe to say that use cases involving sub tenants are quite common for various B2B authN scenarios.<br><br>The second comment is all about values “personal” and “organization” in the tenant claim, they should be separated from this claim. Otherwise, there is too much room for abuse, to illustrate this, an ID Token (sub:12345 and tenant:personal) issued by an OP with the same issuer means different things for its tenant A (Org A) and tenant B (Org B). If I didn't get this part right <a href="https://dickhardt.github.io/enterprise-extensions/openid-connect-enterprise-extensions.html#section-2.2">from section</a><br><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The tenant claim is an opaque JSON string that represents a tenant identifier and MAY have the value personal, organization or a stable OP unique value for multi-tenant OPs. The personal value is reserved for when Accounts are managed by individuals. The organization value is reserved for Accounts managed by an organization.</blockquote><div><br></div>it needs to be rephrased and clarified.</div><div><br></div><div>All the best,</div><div>Andrii</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Thu, May 22, 2025 at 4:37 PM Dick Hardt via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">+1 as an author :) <br><br>For those not familiar, some of these extensions are based on requirements from IPSIE. If adopted, the 'tenant' text in OpenID Provider Commands would point to this document. </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 22, 2025 at 3:21 PM Michael Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11pt">This starts a two-week call for feedback on whether to adopt the OpenID Connect Enterprise Extensions specification contributed to the working group by Dick Hardt and Karl McGuiness as an OpenID Connect Working
Group specification. Please reply-all by Thursday, June 5<sup>th</sup> saying whether you are favor of adoption or not, briefly also saying why.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">For additional information, the specification repository is
</span><a href="https://github.com/dickhardt/enterprise-extensions" target="_blank">https://github.com/dickhardt/enterprise-extensions</a>.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> Writing as a working group chair,<u></u><u></u></p>
<p class="MsoNormal"> -- Mike<u></u><u></u></p>
<p class="MsoNormal"><br>
<br>
<span style="font-size:11pt"><u></u><u></u></span></p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</div></blockquote></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>