<div dir="auto"><div dir="auto"><div dir="auto"><br></div><div dir="auto">Hi Jeff,</div><div dir="auto"><br></div><div dir="auto">Thanks a lot for the detailed reply and for sharing how AWS handle this is really helpful context.</div><div dir="auto"><br></div><div dir="auto">Just to clarify, in my idea the flow still starts at the app side with a normal OIDC login, but with an extra option for the user to link other accounts. Each account (including the primary) is authenticated normally by the IdP, so the IdP remains in control.</div><div dir="auto"><br></div><div dir="auto">The main thought behind this draft is whether having a standardized way to do this at the IdP level could make life easier for apps and provide a more consistent user experience, instead of building custom linking APIs.</div><div dir="auto"><br></div><div dir="auto">Best,</div><div dir="auto"><br></div><div dir="auto">Salim</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 24 Sept 2025, 20:06 Lombardo, Jeff, <<a href="mailto:jeffsec@amazon.com" target="_blank" rel="noreferrer">jeffsec@amazon.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="FR-CA" link="blue" vlink="purple" style="word-wrap:break-word;line-break:after-white-space">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">Hi Salim,<br>
<br>
<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt">+1 to the comments made below:<br>
<br>
- this sounds like an identity problem, so an OpenID Connect problem<br>
- the point is you have been sent to the AuthZEN working group of the OpenID Foundation, not the OpenID Connect Working Group of the OpenID Foundation<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt">This being said, and my personal opinion leaving the members of the OpenID Connect Working Group to give a formal answer, account linking is something that
<a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html" rel="noreferrer noreferrer" target="_blank">
we do at AWS in Amazon Cognito</a>. Okta/Auth0 does the <a href="https://help.okta.com/wf/en-us/content/topics/workflows/connector-reference/auth0/actions/linkaccount.htm" rel="noreferrer noreferrer" target="_blank">
same</a>. But this is outside OpenID Connect.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt">What happens is that:<u></u><u></u></span></p>
<ul style="margin-top:0cm" type="disc">
<li style="margin-left:0cm"><span lang="EN-CA" style="font-size:11.0pt">The user authenticates with one account for the Client Application<u></u><u></u></span></li></ul>
<ul style="margin-top:0cm" type="disc">
<li style="margin-left:0cm"><span lang="EN-CA" style="font-size:11.0pt">The Client Application offers Account linking capabilities if the user wants to go there<u></u><u></u></span></li><li style="margin-left:0cm"><span lang="EN-CA" style="font-size:11.0pt">The user can decide to use the capability and the application will use the Access Token it has to call the Account
Linking API<u></u><u></u></span></li><li style="margin-left:0cm"><span lang="EN-CA" style="font-size:11.0pt">The Account Linking API will authenticate the user through secondary accounts<u></u><u></u></span></li><li style="margin-left:0cm"><span lang="EN-CA" style="font-size:11.0pt">Any new minted token will bear the linked account information if successful starting from the next issuance<u></u><u></u></span></li></ul>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt">From your proposal you want to start the flow of linking at the Authorization request:<u></u><u></u></span></p>
<ul style="margin-top:0cm" type="disc">
<li style="margin-left:0cm"><span lang="EN-CA" style="font-size:11.0pt">The Linking flow as proposed will be initiated by the Client Application… but the client application has no clue:<u></u><u></u></span></li><ul style="margin-top:0cm" type="circle">
<li style="margin-left:0cm"><span lang="EN-CA" style="font-size:11.0pt">If there are some account(s) to link as the user is not even authenticated<u></u><u></u></span></li><li style="margin-left:0cm"><span lang="EN-CA" style="font-size:11.0pt">Which account(s) should be linked as there might be some false positive expectations: it is not because there
is a </span><a href="mailto:jdoe@gmail.com" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA" style="font-size:11.0pt">jdoe@gmail.com</span></a><span lang="EN-CA" style="font-size:11.0pt"> that this is a account to be linked to
</span><a href="mailto:john.doe@gmail.com" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA" style="font-size:11.0pt">john.doe@gmail.com</span></a><span lang="EN-CA" style="font-size:11.0pt"> while on the contrary
</span><a href="mailto:mustangrider@gmail.com" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA" style="font-size:11.0pt">mustangrider@gmail.com</span></a><span style="font-size:11.0pt">
<span lang="EN-CA">might be another persona of </span></span><a href="mailto:jdoe@gmail.com" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA" style="font-size:11.0pt">jdoe@gmail.com</span></a><span lang="EN-CA" style="font-size:11.0pt">.
There are also privacy concerns on trying to reconciliate or propose association of accounts while the owner wants to ensure those remain disjointed.<u></u><u></u></span></li></ul>
</ul>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-CA" style="font-size:11.0pt"><br>
Overall, this sounds like setting linking=true would add a lot of friction to the flow to go through while it is not or no longer necessary.<br>
<br>
<u></u><u></u></span></p>
<ul style="margin-top:0cm" type="disc">
<li style="margin-left:0cm"><span lang="EN-CA" style="font-size:11.0pt">I quite not get the linking period too… while would a linking expire after some time?<u></u><u></u></span></li></ul>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-CA">Overall, while thought experiment and gut feeling are great, OpenID Foundation and IETF work from problems from the field. If you want to pursue those proposal, you need to be able to answer to the broader question on
why this has a better sense to deal with at the OpenID / OAuth layer than at the IdP layer.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-CA">Jeff<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt"><u></u> <u></u></span></p>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Amazon Ember Heavy",sans-serif">Jean-François “<span style="color:#e97132">Jeff</span>” Lombardo</span></b><span> </span><span style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif">|<span style="color:gray">
</span><span style="color:#e97132">Amazon Web Services</span></span><span style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:#e97132"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:4.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray">Architecte Principal de Solutions, Spécialiste de Sécurité<br>
Principal Solution Architect, Security Specialist<br>
Montréal, Canada<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-CA" style="font-size:13.5pt;font-family:"Wingdings 2"">(</span><span lang="EN-CA" style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray">
</span><span style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray">+1 514 778 5565<br>
<br>
<u></u><u></u></span></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray">Commentaires à propos de notre échange?
</span></i><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray">Exprimez-vous
</span></i><a href="https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$" rel="noreferrer noreferrer" target="_blank"><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:#467886">ici</span></i></a><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray">.<u></u><u></u></span></i></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:4.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray"><u></u> <u></u></span></p>
<p class="MsoNormal"><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray">Thoughts on our interaction? Provide feedback
</span></i><a href="https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$" rel="noreferrer noreferrer" target="_blank"><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:#467886">here</span></i></a><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray">.<u></u><u></u></span></i></p>
</div>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Openid-specs-authzen <<a href="mailto:openid-specs-authzen-bounces@lists.openid.net" rel="noreferrer noreferrer" target="_blank">openid-specs-authzen-bounces@lists.openid.net</a>>
<b>On Behalf Of </b>Eve Maler via Openid-specs-authzen<br>
<b>Sent:</b> September 24, 2025 12:55 PM<br>
<b>To:</b> AuthZEN Working Group List <<a href="mailto:openid-specs-authzen@lists.openid.net" rel="noreferrer noreferrer" target="_blank">openid-specs-authzen@lists.openid.net</a>><br>
<b>Cc:</b> Eve Maler <<a href="mailto:eve@vennfactory.com" rel="noreferrer noreferrer" target="_blank">eve@vennfactory.com</a>><br>
<b>Subject:</b> RE: [EXT] [Openid-specs-authzen] OpenID Connect Email Account Linking Extension<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
<div>
<table border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr style="height:15.25pt">
<td width="1123" valign="top" style="width:842.35pt;border:solid #ed7d31 1.5pt;padding:0cm 5.4pt 0cm 5.4pt;height:15.25pt">
<p><strong><span lang="EN-CA" style="font-size:10.0pt;font-family:"Aptos",sans-serif;color:black;background:#ffff99">CAUTION</span></strong><span lang="EN-CA" style="font-size:10.0pt;font-family:"Times New Roman",serif;color:black;background:#ffff99">: This
email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.</span><span lang="EN-CA" style="font-size:10.0pt;font-family:"Times New Roman",serif"><u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
<div>
<div>
<table border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr style="height:15.25pt">
<td width="1123" valign="top" style="width:842.35pt;border:solid #ed7d31 1.5pt;padding:0cm 5.4pt 0cm 5.4pt;height:15.25pt">
<p><strong><span style="font-size:10.0pt;font-family:"Aptos",sans-serif;color:black;background:#ffff99">AVERTISSEMENT</span></strong><span style="font-size:10.0pt;font-family:"Times New Roman",serif;color:black;background:#ffff99">: Ce courrier électronique
provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque.</span><span style="font-size:10.0pt;font-family:"Times New Roman",serif"><u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"><span lang="EN-CA">I’m probably not helping by responding in this thread, since a proper discussion probably wants to live elsewhere, but here goes…
<u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">Usually either such multi-email associations are made heuristically based on common properties (as noted by Alex — see "identity resolution" systems as used by marketing), or are made deterministically by asking the user
— as a one-time/extraordinary action — to identify and confirm a single related email at a time, through a traditional OAuth/OIDC linkage.<u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
<div>
<p class="MsoNormal"><img border="0" width="200" height="65" style="width:2.0833in;height:.675in" id="m_2097319804922650694m_202655059178035104Picture_x0020_1" src="https://mail.google.com/mail/?ui=2&ik=6a7a674475&attid=0.5&th=1997cf450b7c4700&view=fimg&fur=ip&rm=1997cf450b7c4700&sz=w1600-h1000&attbid=ANGjdJ_nabjjmBu8coer_AHjlqUJVu_msYUZF0RT0DN0IYymqcRTax5obFVtOukUk5_0ydu3olq05Tc381JbHN8I4GPJtQVSPaUy7kvRBQOGY7OTLGUzYnfWpvmNH1o&disp=emb&realattid&zw"><span lang="EN-CA" style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black"><br>
<br>
</span><span lang="EN-CA"><u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:9.0pt;font-family:"SpaceGrotesk-Medium",serif;color:#476458">Eve Maler, president and founder</span><span lang="EN-CA" style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:9.0pt;font-family:"SpaceGrotesk-Medium",serif;color:#476458">Cell and Signal </span><a href="tel:+1-425-345-6756" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA" style="font-size:9.0pt;font-family:"SpaceGrotesk-Medium",serif">+1
(425) 345-6756</span></a><span lang="EN-CA" style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black"><u></u><u></u></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><br>
<br>
<u></u><u></u></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-CA">On Sep 24, 2025, at 11:19</span><span lang="EN-CA" style="font-family:"Arial",sans-serif"> </span><span lang="EN-CA">AM, Omri Gazitt via Openid-specs-authzen <<a href="mailto:openid-specs-authzen@lists.openid.net" rel="noreferrer noreferrer" target="_blank">openid-specs-authzen@lists.openid.net</a>> wrote:<u></u><u></u></span></p>
</div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-CA">Perhaps the OAuth WG redirected you to the OpenID Connect working group? <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">This has more to do with authentication than authorization. <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-CA">On Wed, Sep 24, 2025 at 12:59</span><span lang="EN-CA" style="font-family:"Arial",sans-serif"> </span><span lang="EN-CA">AM Salim BOU ARAM via Openid-specs-authzen <</span><a href="mailto:openid-specs-authzen@lists.openid.net" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">openid-specs-authzen@lists.openid.net</span></a><span lang="EN-CA">>
wrote:<u></u><u></u></span></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-CA">Hi Alex, <u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">Thanks for clarifying. There isn’t a particular production use case I’ve seen; this draft is more of a thought experiment. <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">The idea came from observing how people sometimes end up with multiple accounts from the same IdP and wondering if there might be a standardized way to let them unify access under one primary identity.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">I appreciate your perspective on whether this kind of functionality would be useful in practice, and I agree that concrete use cases will be important to validate or discard the idea.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">Best regards,<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">Salim<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-CA">On Wed, 24 Sept 2025, 08:18 Alex Babeanu, <</span><a href="mailto:alex.babeanu@indykite.com" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">alex.babeanu@indykite.com</span></a><span lang="EN-CA">> wrote:<u></u><u></u></span></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-CA">Hi Salim, <u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">- the OAuth WG directed you here? Interesting... I guess the angle would be that the `subject` in an AuthZEN request would be multi-valued... I think we already cover that through "boxcarring" in the AuthZEN spec.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">- As for: " I could use </span><a href="mailto:example@gmail.com" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">example@gmail.com</span></a><span lang="EN-CA"> as my primary identity and link </span><a href="mailto:example1@gmail.com" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">example1@gmail.com</span></a><span lang="EN-CA"> to
access the same app account." - I got that, and was indeed questioning whether this would actually ever happen in the wild. Did you write this draft based on an actual use-case you've seen? Others may have some input here too...<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">Cheers,<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">./\.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-CA">On Wed, Sep 24, 2025 at 9:07</span><span lang="EN-CA" style="font-family:"Arial",sans-serif"> </span><span lang="EN-CA">AM Salim BOU ARAM <</span><a href="mailto:bouaram.salim@gmail.com" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">bouaram.salim@gmail.com</span></a><span lang="EN-CA">>
wrote:<u></u><u></u></span></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<div>
<div>
<p><span lang="EN-CA">Hi Alex,<u></u><u></u></span></p>
<p><span lang="EN-CA">Thank you very much for taking the time to read the draft and share your feedback. <u></u><u></u></span></p>
<p><span lang="EN-CA">The OAuth WG suggested I discuss the draft here.<u></u><u></u></span></p>
<p><span lang="EN-CA">Just to clarify the “1-N secondary accounts” point: the idea is not that users must link multiple N accounts, but that they can choose to link additional accounts to their primary authenticated identity (up to an IdP-defined N limit).
For example, if an app offers “Sign in with Google,” I could use </span><a href="mailto:example@gmail.com" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">example@gmail.com</span></a><span lang="EN-CA"> as my primary identity and link
</span><a href="mailto:example1@gmail.com" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">example1@gmail.com</span></a><span lang="EN-CA"> to access the same app account.<u></u><u></u></span></p>
<p><span lang="EN-CA">This may not have been clear in the draft.<u></u><u></u></span></p>
<p><span lang="EN-CA"> Thanks again for the feedback, and I look forward to more input.<u></u><u></u></span></p>
<p><span lang="EN-CA">Best regards,<u></u><u></u></span></p>
<p><span lang="EN-CA">Salim<u></u><u></u></span></p>
<p><span lang="EN-CA"><u></u> <u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-CA"> <u></u><u></u></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-CA">On Wed, 24 Sept 2025, 07:54 Alex Babeanu, <</span><a href="mailto:alex.babeanu@indykite.com" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">alex.babeanu@indykite.com</span></a><span lang="EN-CA">> wrote:<u></u><u></u></span></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-CA">Hi Salim-Amine, <u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">Well, I'm not sure the AuthZEN group is the right group for this one, it looks more like an idea for the OAuth WG within IETF... I will let others weigh-in on that point.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">About the proposal, I think I'm not clear specifically on this: "</span><span lang="EN-CA" style="font-size:10.5pt;font-family:"Noto Sans",sans-serif"> User authenticates 1-N secondary accounts (IdP-defined limit)</span><span lang="EN-CA">"<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">--> based on experience in the field, users never actually do that. As a user, I know I wouldn't do it myself. I think there's more value for an organization in matching its various accounts based on common properties,
than enabling a sort of "email/Account-SSO": after all, these users register different accounts for a reason: maybe for different types of access or even anonymity...<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">My humble $0.02...<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">Regards,<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">./\.<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-CA">On Tue, Sep 23, 2025 at 11:28</span><span lang="EN-CA" style="font-family:"Arial",sans-serif"> </span><span lang="EN-CA">PM Salim BOU ARAM via Openid-specs-authzen <</span><a href="mailto:openid-specs-authzen@lists.openid.net" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">openid-specs-authzen@lists.openid.net</span></a><span lang="EN-CA">>
wrote:<u></u><u></u></span></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-CA">Hello, <u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">I’ve submitted a draft that proposes a way for an RP to let a user link multiple email accounts from the same IdP under a single primary identity. Secondary logins resolve to the primary account, and linkages can expire
or be removed.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">(</span><a href="https://www.ietf.org/archive/id/draft-bouaram-oidc-email-linking-extension-00.html" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">https://www.ietf.org/archive/id/draft-bouaram-oidc-email-linking-extension-00.html</span></a><span lang="EN-CA">)<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">I’m interested to know if anyone finds this idea useful.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">This version is an initial draft and could be further enhanced based on community feedback.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">Best regards,<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA">Salim-Amine Bou Aram<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-CA">-- <br>
Openid-specs-authzen mailing list<br>
</span><a href="mailto:Openid-specs-authzen@lists.openid.net" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">Openid-specs-authzen@lists.openid.net</span></a><span lang="EN-CA"><br>
</span><a href="https://lists.openid.net/mailman/listinfo/openid-specs-authzen" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">https://lists.openid.net/mailman/listinfo/openid-specs-authzen</span></a><span lang="EN-CA"><u></u><u></u></span></p>
</blockquote>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><br clear="all">
<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
<p class="MsoNormal"><span>-- </span><u></u><u></u></p>
<div>
<div>
<table border="0" cellspacing="0" cellpadding="0" width="600" style="width:450.0pt">
<tbody>
<tr>
<td width="44" valign="top" style="width:33.0pt;padding:0cm 12.0pt 0cm 12.0pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;border:solid windowtext 1.0pt;padding:0cm"><img border="0" width="50" height="96" style="width:.525in;height:1.0in" id="m_2097319804922650694m_202655059178035104Picture_x0020_2" src="https://mail.google.com/mail/?ui=2&ik=6a7a674475&attid=0.3&th=1997cf450b7c4700&view=fimg&fur=ip&rm=1997cf450b7c4700&sz=w1600-h1000&attbid=ANGjdJ_EuXaC30g_HhGFSVbz2CTE82F-Co25cKB8B-rS5E8TfOMbrsWBYWjD4tzL4fQhVyTIea2p8NkUYTDiM-Xlh6VmqKp46CPYrZ9ylAOGOlXHniBSJjb54shIxUE&disp=emb&realattid&zw" alt="Image removed by sender."></span><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif"><u></u><u></u></span></p>
</td>
<td width="16" style="width:12.0pt;border:none;border-left:solid #d4d4d4 1.0pt;padding:24.0pt 0cm 24.0pt 0cm">
</td>
<td valign="top" style="padding:24.0pt 0cm 24.0pt 0cm">
<p class="MsoNormal"><b><span style="font-size:11.5pt;font-family:"Segoe UI",sans-serif"><br>
Alex Babeanu</span></b><span style="font-size:11.5pt;font-family:"Segoe UI",sans-serif"><br>
</span><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif">Lead Product Manager, AI Control Suite</span><span style="font-size:11.5pt;font-family:"Segoe UI",sans-serif"><br>
</span><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#4c4c4c">t. +1 604 728 8130<br>
e. </span><a href="mailto:alex.babeanu@indykite.com" rel="noreferrer noreferrer" target="_blank"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#1155cc">alex.babeanu@indykite.com</span></a><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#4c4c4c"> <br>
w. </span><a href="http://www.indykite.com/" rel="noreferrer noreferrer" target="_blank"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#1155cc">www.indykite.com</span></a><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif"><u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<div>
<p class="MsoNormal"><br clear="all">
<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal"><span>-- </span><u></u><u></u></p>
<div>
<div>
<table border="0" cellspacing="0" cellpadding="0" width="600" style="width:450.0pt">
<tbody>
<tr>
<td width="44" valign="top" style="width:33.0pt;padding:0cm 12.0pt 0cm 12.0pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;border:solid windowtext 1.0pt;padding:0cm"><img border="0" width="50" height="96" style="width:.525in;height:1.0in" id="m_2097319804922650694m_202655059178035104Picture_x0020_3" src="https://mail.google.com/mail/?ui=2&ik=6a7a674475&attid=0.3&th=1997cf450b7c4700&view=fimg&fur=ip&rm=1997cf450b7c4700&sz=w1600-h1000&attbid=ANGjdJ-nZVq5DYpea_0J9zvBZlxNFv4IOz3KkaGYqIMdSfMBA31eUC1DOymSyR-GefqDGEldNwfc0oxkE1wBl3vgzMPcWSeh9QSS57zejOQ8sVVxf9cax5_ZWOXTE9o&disp=emb&realattid&zw" alt="Image removed by sender."></span><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif"><u></u><u></u></span></p>
</td>
<td width="16" style="width:12.0pt;border:none;border-left:solid #d4d4d4 1.0pt;padding:24.0pt 0cm 24.0pt 0cm">
</td>
<td valign="top" style="padding:24.0pt 0cm 24.0pt 0cm">
<p class="MsoNormal"><b><span style="font-size:11.5pt;font-family:"Segoe UI",sans-serif"><br>
Alex Babeanu</span></b><span style="font-size:11.5pt;font-family:"Segoe UI",sans-serif"><br>
</span><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif">Lead Product Manager, AI Control Suite</span><span style="font-size:11.5pt;font-family:"Segoe UI",sans-serif"><br>
</span><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#4c4c4c">t. +1 604 728 8130<br>
e. </span><a href="mailto:alex.babeanu@indykite.com" rel="noreferrer noreferrer" target="_blank"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#1155cc">alex.babeanu@indykite.com</span></a><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#4c4c4c"> <br>
w. </span><a href="http://www.indykite.com/" rel="noreferrer noreferrer" target="_blank"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#1155cc">www.indykite.com</span></a><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif"><u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><span lang="EN-CA">-- <br>
Openid-specs-authzen mailing list<br>
</span><a href="mailto:Openid-specs-authzen@lists.openid.net" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">Openid-specs-authzen@lists.openid.net</span></a><span lang="EN-CA"><br>
</span><a href="https://lists.openid.net/mailman/listinfo/openid-specs-authzen" rel="noreferrer noreferrer" target="_blank"><span lang="EN-CA">https://lists.openid.net/mailman/listinfo/openid-specs-authzen</span></a><span lang="EN-CA"><u></u><u></u></span></p>
</blockquote>
</div>
</div>
<p class="MsoNormal"><span lang="EN-CA">-- <br>
Openid-specs-authzen mailing list<br>
<a href="mailto:Openid-specs-authzen@lists.openid.net" rel="noreferrer noreferrer" target="_blank">Openid-specs-authzen@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-authzen" rel="noreferrer noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-authzen</a><u></u><u></u></span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></div></div>