[Openid-specs-authzen] OpenID Connect Email Account Linking Extension

Eve Maler eve at vennfactory.com
Wed Sep 24 16:54:39 UTC 2025 

I’m probably not helping by responding in this thread, since a proper discussion probably wants to live elsewhere, but here goes…

Usually either such multi-email associations are made heuristically based on common properties (as noted by Alex — see "identity resolution" systems as used by marketing), or are made deterministically by asking the user — as a one-time/extraordinary action — to identify and confirm a single related email at a time, through a traditional OAuth/OIDC linkage.

[VF Logo Light Green Mix (on Dark BG) for email sig.png]

Eve Maler, president and founder
Cell and Signal +1 (425) 345-6756<tel:+1-425-345-6756>

On Sep 24, 2025, at 11:19 AM, Omri Gazitt via Openid-specs-authzen <openid-specs-authzen at lists.openid.net> wrote:

Perhaps the OAuth WG redirected you to the OpenID Connect working group?

This has more to do with authentication than authorization.

On Wed, Sep 24, 2025 at 12:59 AM Salim BOU ARAM via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>> wrote:
Hi Alex,

Thanks for clarifying. There isn’t a particular production use case I’ve seen; this draft is more of a thought experiment.

The idea came from observing how people sometimes end up with multiple accounts from the same IdP and wondering if there might be a standardized way to let them unify access under one primary identity.

I appreciate your perspective on whether this kind of functionality would be useful in practice, and I agree that concrete use cases will be important to validate or discard the idea.

Best regards,

Salim

On Wed, 24 Sept 2025, 08:18 Alex Babeanu, <alex.babeanu at indykite.com<mailto:alex.babeanu at indykite.com>> wrote:
Hi Salim,

- the OAuth WG directed you here? Interesting... I guess the angle would be that the `subject` in an AuthZEN request would be multi-valued... I think we already cover that through "boxcarring" in the AuthZEN spec.
- As for: " I could use example at gmail.com<mailto:example at gmail.com> as my primary identity and link example1 at gmail.com<mailto:example1 at gmail.com> to access the same app account." - I got that, and was indeed questioning whether this would actually ever happen in the wild. Did you write this draft based on an actual use-case you've seen? Others may have some input here too...

Cheers,

./\.


On Wed, Sep 24, 2025 at 9:07 AM Salim BOU ARAM <bouaram.salim at gmail.com<mailto:bouaram.salim at gmail.com>> wrote:

Hi Alex,

Thank you very much for taking the time to read the draft and share your feedback.

The OAuth WG suggested I discuss the draft here.

Just to clarify the “1-N secondary accounts” point: the idea is not that users must link multiple N accounts, but that they can choose to link additional accounts to their primary authenticated identity (up to an IdP-defined N limit). For example, if an app offers “Sign in with Google,” I could use example at gmail.com<mailto:example at gmail.com> as my primary identity and link example1 at gmail.com<mailto:example1 at gmail.com> to access the same app account.

This may not have been clear in the draft.

 Thanks again for the feedback, and I look forward to more input.

Best regards,

Salim




On Wed, 24 Sept 2025, 07:54 Alex Babeanu, <alex.babeanu at indykite.com<mailto:alex.babeanu at indykite.com>> wrote:
Hi Salim-Amine,

Well, I'm not sure the AuthZEN group is the right group for this one, it looks more like an idea for the OAuth WG within IETF... I will let others weigh-in on that point.

About the proposal, I think I'm not clear specifically on this: " User authenticates 1-N secondary accounts (IdP-defined limit)"
--> based on experience in the field, users never actually do that. As a user, I know I wouldn't do it myself. I think there's more value for an organization in matching its various accounts based on common properties, than enabling a sort of "email/Account-SSO": after all, these users register different accounts for a reason: maybe for different types of access or even anonymity...
My humble $0.02...

Regards,

./\.

On Tue, Sep 23, 2025 at 11:28 PM Salim BOU ARAM via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>> wrote:
Hello,

I’ve submitted a draft that proposes a way for an RP to let a user link multiple email accounts from the same IdP under a single primary identity. Secondary logins resolve to the primary account, and linkages can expire or be removed.
(https://www.ietf.org/archive/id/draft-bouaram-oidc-email-linking-extension-00.html)

I’m interested to know if anyone finds this idea useful.

This version is an initial draft and could be further enhanced based on community feedback.

Best regards,

Salim-Amine Bou Aram
--
Openid-specs-authzen mailing list
Openid-specs-authzen at lists.openid.net<mailto:Openid-specs-authzen at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-authzen


--
[https://ci3.googleusercontent.com/mail-sig/AIorK4x5Zei-LmxicWa_2oCbIg-9quDhpwnXm4VW5Jv2_ZAHZzl_z6SiPajDizHWEYU3F-5mz49C7kCS1Yjf]

Alex Babeanu
Lead Product Manager, AI Control  Suite
t. +1 604 728 8130
e. alex.babeanu at indykite.com<mailto:alex.babeanu at indykite.com>
w. www.indykite.com<http://www.indykite.com/>


--
[https://ci3.googleusercontent.com/mail-sig/AIorK4x5Zei-LmxicWa_2oCbIg-9quDhpwnXm4VW5Jv2_ZAHZzl_z6SiPajDizHWEYU3F-5mz49C7kCS1Yjf]

Alex Babeanu
Lead Product Manager, AI Control  Suite
t. +1 604 728 8130
e. alex.babeanu at indykite.com<mailto:alex.babeanu at indykite.com>
w. www.indykite.com<http://www.indykite.com/>
--
Openid-specs-authzen mailing list
Openid-specs-authzen at lists.openid.net<mailto:Openid-specs-authzen at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-authzen
--
Openid-specs-authzen mailing list
Openid-specs-authzen at lists.openid.net
https://lists.openid.net/mailman/listinfo/openid-specs-authzen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250924/13b18a62/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: VF Logo Light Green Mix (on Dark BG) for email sig.png
Type: image/png
Size: 16340 bytes
Desc: VF Logo Light Green Mix (on Dark BG) for email sig.png
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250924/13b18a62/attachment-0001.png>

More information about the Openid-specs-authzen mailing list