[Openid-specs-authzen] OpenID Connect Email Account Linking Extension

Salim BOU ARAM bouaram.salim at gmail.com
Wed Sep 24 07:58:49 UTC 2025 

Hi Alex,

Thanks for clarifying. There isn’t a particular production use case I’ve
seen; this draft is more of a thought experiment.

The idea came from observing how people sometimes end up with multiple
accounts from the same IdP and wondering if there might be a standardized
way to let them unify access under one primary identity.

I appreciate your perspective on whether this kind of functionality would
be useful in practice, and I agree that concrete use cases will be
important to validate or discard the idea.

Best regards,

Salim

On Wed, 24 Sept 2025, 08:18 Alex Babeanu, <alex.babeanu at indykite.com> wrote:

> Hi Salim,
>
> - the OAuth WG directed you here? Interesting... I guess the angle would
> be that the `subject` in an AuthZEN request would be multi-valued... I
> think we already cover that through "boxcarring" in the AuthZEN spec.
> - As for: " I could use example at gmail.com as my primary identity and link
> example1 at gmail.com to access the same app account." - I got that, and was
> indeed questioning whether this would actually ever happen in the wild. Did
> you write this draft based on an actual use-case you've seen? Others may
> have some input here too...
>
> Cheers,
>
> ./\.
>
>
> On Wed, Sep 24, 2025 at 9:07 AM Salim BOU ARAM <bouaram.salim at gmail.com>
> wrote:
>
>> Hi Alex,
>>
>> Thank you very much for taking the time to read the draft and share your
>> feedback.
>>
>> The OAuth WG suggested I discuss the draft here.
>>
>> Just to clarify the “1-N secondary accounts” point: the idea is not that
>> users must link multiple N accounts, but that they can choose to link
>> additional accounts to their primary authenticated identity (up to an
>> IdP-defined N limit). For example, if an app offers “Sign in with Google,”
>> I could use example at gmail.com as my primary identity and link
>> example1 at gmail.com to access the same app account.
>>
>> This may not have been clear in the draft.
>>
>>  Thanks again for the feedback, and I look forward to more input.
>>
>> Best regards,
>>
>> Salim
>>
>>
>>
>>
>> On Wed, 24 Sept 2025, 07:54 Alex Babeanu, <alex.babeanu at indykite.com>
>> wrote:
>>
>>> Hi Salim-Amine,
>>>
>>> Well, I'm not sure the AuthZEN group is the right group for this one, it
>>> looks more like an idea for the OAuth WG within IETF... I will let others
>>> weigh-in on that point.
>>>
>>> About the proposal, I think I'm not clear specifically on this: " User
>>> authenticates 1-N secondary accounts (IdP-defined limit)"
>>> --> based on experience in the field, users never actually do that. As a
>>> user, I know I wouldn't do it myself. I think there's more value for an
>>> organization in matching its various accounts based on common properties,
>>> than enabling a sort of "email/Account-SSO": after all, these users
>>> register different accounts for a reason: maybe for different types of
>>> access or even anonymity...
>>> My humble $0.02...
>>>
>>> Regards,
>>>
>>> ./\.
>>>
>>> On Tue, Sep 23, 2025 at 11:28 PM Salim BOU ARAM via Openid-specs-authzen
>>> <openid-specs-authzen at lists.openid.net> wrote:
>>>
>>>> Hello,
>>>>
>>>> I’ve submitted a draft that proposes a way for an RP to let a user link
>>>> multiple email accounts from the same IdP under a single primary identity.
>>>> Secondary logins resolve to the primary account, and linkages can expire or
>>>> be removed.
>>>> (
>>>> https://www.ietf.org/archive/id/draft-bouaram-oidc-email-linking-extension-00.html
>>>> )
>>>>
>>>> I’m interested to know if anyone finds this idea useful.
>>>>
>>>> This version is an initial draft and could be further enhanced based on
>>>> community feedback.
>>>>
>>>> Best regards,
>>>>
>>>> Salim-Amine Bou Aram
>>>> --
>>>> Openid-specs-authzen mailing list
>>>> Openid-specs-authzen at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>>>>
>>>
>>>
>>> --
>>>
>>>
>>> Alex Babeanu
>>> Lead Product Manager, AI Control  Suite
>>> t. +1 604 728 8130
>>> e. alex.babeanu at indykite.com
>>> w. www.indykite.com
>>>
>>
>
> --
>
>
> Alex Babeanu
> Lead Product Manager, AI Control  Suite
> t. +1 604 728 8130
> e. alex.babeanu at indykite.com
> w. www.indykite.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250924/2f61e39c/attachment-0001.htm>

More information about the Openid-specs-authzen mailing list