[Openid-specs-authzen] OpenID Connect Email Account Linking Extension

Wed Sep 24 06:17:59 UTC 2025

Hi Salim,

- the OAuth WG directed you here? Interesting... I guess the angle would be
that the `subject` in an AuthZEN request would be multi-valued... I think
we already cover that through "boxcarring" in the AuthZEN spec.
- As for: " I could use example at gmail.com as my primary identity and link
example1 at gmail.com to access the same app account." - I got that, and was
indeed questioning whether this would actually ever happen in the wild. Did
you write this draft based on an actual use-case you've seen? Others may
have some input here too...

Cheers,

./\.

On Wed, Sep 24, 2025 at 9:07 AM Salim BOU ARAM <bouaram.salim at gmail.com>
wrote:

> Hi Alex,
>
> Thank you very much for taking the time to read the draft and share your
> feedback.
>
> The OAuth WG suggested I discuss the draft here.
>
> Just to clarify the “1-N secondary accounts” point: the idea is not that
> users must link multiple N accounts, but that they can choose to link
> additional accounts to their primary authenticated identity (up to an
> IdP-defined N limit). For example, if an app offers “Sign in with Google,”
> I could use example at gmail.com as my primary identity and link
> example1 at gmail.com to access the same app account.
>
> This may not have been clear in the draft.
>
>  Thanks again for the feedback, and I look forward to more input.
>
> Best regards,
>
> Salim
>
>
>
>
> On Wed, 24 Sept 2025, 07:54 Alex Babeanu, <alex.babeanu at indykite.com>
> wrote:
>
>> Hi Salim-Amine,
>>
>> Well, I'm not sure the AuthZEN group is the right group for this one, it
>> looks more like an idea for the OAuth WG within IETF... I will let others
>> weigh-in on that point.
>>
>> About the proposal, I think I'm not clear specifically on this: " User
>> authenticates 1-N secondary accounts (IdP-defined limit)"
>> --> based on experience in the field, users never actually do that. As a
>> user, I know I wouldn't do it myself. I think there's more value for an
>> organization in matching its various accounts based on common properties,
>> than enabling a sort of "email/Account-SSO": after all, these users
>> register different accounts for a reason: maybe for different types of
>> access or even anonymity...
>> My humble $0.02...
>>
>> Regards,
>>
>> ./\.
>>
>> On Tue, Sep 23, 2025 at 11:28 PM Salim BOU ARAM via Openid-specs-authzen <
>> openid-specs-authzen at lists.openid.net> wrote:
>>
>>> Hello,
>>>
>>> I’ve submitted a draft that proposes a way for an RP to let a user link
>>> multiple email accounts from the same IdP under a single primary identity.
>>> Secondary logins resolve to the primary account, and linkages can expire or
>>> be removed.
>>> (
>>> https://www.ietf.org/archive/id/draft-bouaram-oidc-email-linking-extension-00.html
>>> )
>>>
>>> I’m interested to know if anyone finds this idea useful.
>>>
>>> This version is an initial draft and could be further enhanced based on
>>> community feedback.
>>>
>>> Best regards,
>>>
>>> Salim-Amine Bou Aram
>>> --
>>> Openid-specs-authzen mailing list
>>> Openid-specs-authzen at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>>>
>>
>>
>> --
>>
>>
>> Alex Babeanu
>> Lead Product Manager, AI Control  Suite
>> t. +1 604 728 8130
>> e. alex.babeanu at indykite.com
>> w. www.indykite.com
>>
>

-- 

Alex Babeanu
Lead Product Manager, AI Control  Suite
t. +1 604 728 8130
e. alex.babeanu at indykite.com
w. www.indykite.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250924/29f5714e/attachment.htm>