[Openid-specs-authzen] OpenID Connect Email Account Linking Extension

Omri Gazitt omri at aserto.com
Wed Sep 24 16:19:53 UTC 2025 

Perhaps the OAuth WG redirected you to the OpenID Connect working group?

This has more to do with authentication than authorization.

On Wed, Sep 24, 2025 at 12:59 AM Salim BOU ARAM via Openid-specs-authzen <
openid-specs-authzen at lists.openid.net> wrote:

> Hi Alex,
>
> Thanks for clarifying. There isn’t a particular production use case I’ve
> seen; this draft is more of a thought experiment.
>
> The idea came from observing how people sometimes end up with multiple
> accounts from the same IdP and wondering if there might be a standardized
> way to let them unify access under one primary identity.
>
> I appreciate your perspective on whether this kind of functionality would
> be useful in practice, and I agree that concrete use cases will be
> important to validate or discard the idea.
>
> Best regards,
>
> Salim
>
> On Wed, 24 Sept 2025, 08:18 Alex Babeanu, <alex.babeanu at indykite.com>
> wrote:
>
>> Hi Salim,
>>
>> - the OAuth WG directed you here? Interesting... I guess the angle would
>> be that the `subject` in an AuthZEN request would be multi-valued... I
>> think we already cover that through "boxcarring" in the AuthZEN spec.
>> - As for: " I could use example at gmail.com as my primary identity and
>> link example1 at gmail.com to access the same app account." - I got that,
>> and was indeed questioning whether this would actually ever happen in the
>> wild. Did you write this draft based on an actual use-case you've seen?
>> Others may have some input here too...
>>
>> Cheers,
>>
>> ./\.
>>
>>
>> On Wed, Sep 24, 2025 at 9:07 AM Salim BOU ARAM <bouaram.salim at gmail.com>
>> wrote:
>>
>>> Hi Alex,
>>>
>>> Thank you very much for taking the time to read the draft and share your
>>> feedback.
>>>
>>> The OAuth WG suggested I discuss the draft here.
>>>
>>> Just to clarify the “1-N secondary accounts” point: the idea is not that
>>> users must link multiple N accounts, but that they can choose to link
>>> additional accounts to their primary authenticated identity (up to an
>>> IdP-defined N limit). For example, if an app offers “Sign in with Google,”
>>> I could use example at gmail.com as my primary identity and link
>>> example1 at gmail.com to access the same app account.
>>>
>>> This may not have been clear in the draft.
>>>
>>>  Thanks again for the feedback, and I look forward to more input.
>>>
>>> Best regards,
>>>
>>> Salim
>>>
>>>
>>>
>>>
>>> On Wed, 24 Sept 2025, 07:54 Alex Babeanu, <alex.babeanu at indykite.com>
>>> wrote:
>>>
>>>> Hi Salim-Amine,
>>>>
>>>> Well, I'm not sure the AuthZEN group is the right group for this one,
>>>> it looks more like an idea for the OAuth WG within IETF... I will let
>>>> others weigh-in on that point.
>>>>
>>>> About the proposal, I think I'm not clear specifically on this: " User
>>>> authenticates 1-N secondary accounts (IdP-defined limit)"
>>>> --> based on experience in the field, users never actually do that. As
>>>> a user, I know I wouldn't do it myself. I think there's more value for an
>>>> organization in matching its various accounts based on common properties,
>>>> than enabling a sort of "email/Account-SSO": after all, these users
>>>> register different accounts for a reason: maybe for different types of
>>>> access or even anonymity...
>>>> My humble $0.02...
>>>>
>>>> Regards,
>>>>
>>>> ./\.
>>>>
>>>> On Tue, Sep 23, 2025 at 11:28 PM Salim BOU ARAM via
>>>> Openid-specs-authzen <openid-specs-authzen at lists.openid.net> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I’ve submitted a draft that proposes a way for an RP to let a user
>>>>> link multiple email accounts from the same IdP under a single primary
>>>>> identity. Secondary logins resolve to the primary account, and linkages can
>>>>> expire or be removed.
>>>>> (
>>>>> https://www.ietf.org/archive/id/draft-bouaram-oidc-email-linking-extension-00.html
>>>>> )
>>>>>
>>>>> I’m interested to know if anyone finds this idea useful.
>>>>>
>>>>> This version is an initial draft and could be further enhanced based
>>>>> on community feedback.
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Salim-Amine Bou Aram
>>>>> --
>>>>> Openid-specs-authzen mailing list
>>>>> Openid-specs-authzen at lists.openid.net
>>>>> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>> Alex Babeanu
>>>> Lead Product Manager, AI Control  Suite
>>>> t. +1 604 728 8130
>>>> e. alex.babeanu at indykite.com
>>>> w. www.indykite.com
>>>>
>>>
>>
>> --
>>
>>
>> Alex Babeanu
>> Lead Product Manager, AI Control  Suite
>> t. +1 604 728 8130
>> e. alex.babeanu at indykite.com
>> w. www.indykite.com
>>
> --
> Openid-specs-authzen mailing list
> Openid-specs-authzen at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250924/c90a1d4e/attachment-0001.htm>

More information about the Openid-specs-authzen mailing list