[Openid-specs-risc] openid/sharedsignals: New Issue opened
github at oidf.org
github at oidf.org
Tue Aug 26 10:34:40 UTC 2025
openid/sharedsignals event
Issue opened
Issue Title: Adding/removing subjects with the "aliases" format
https://github.com/openid/sharedsignals/issues/288
If a subject with the `"aliases"` format ([RFC 9493 Subject Identifiers for Security Event Tokens](https://www.rfc-editor.org/rfc/rfc9493.html), [Section 3.2.8. Aliases Identifier Format](https://www.rfc-editor.org/rfc/rfc9493.html#section-3.2.8)) is added to a stream using the Add Subject Endpoint ([OpenID Shared Signals Framework Specification 1.0](https://openid.net/specs/openid-sharedsignals-framework-1_0.html), [Section 8.1.3.2. Adding a Subject to a Stream](https://openid.net/specs/openid-sharedsignals-framework-1_0.html#section-8.1.3.2)) like below, ``` POST /ssf/subjects:add HTTP/1.1 Host: transmitter.example.com Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo= { "stream_id": "f67e39a0a4d34d56b3aa1bc4cff0069f", "subject": { "format": "aliases", "identifiers": [ { "format": "email", "email": "user at example.com" }, { "format": "phone_number", "phone_number": "+12065550100" }, { "format": "email", "email": "user+qualifier at example.com" } ] } } ``` and then a subject with one of the aliases is removed from the stream using the Remove Subject Endpoint like below, ``` POST /ssf/subjects:remove HTTP/1.1 Host: transmitter.example.com Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo= { "stream_id": "f67e39a0a4d34d56b3aa1bc4cff0069f", "subject": { "format": "email", "email": "user at example.com" } } ``` how should the transmitter behave? Should events related to `{"format":"email", "email":"user at example.com"}` be still delivered via the stream or not? Likewise, if two Add Subject calls with a simple subject are performed like below, ``` POST /ssf/subjects:add HTTP/1.1 Host: transmitter.example.com Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo= { "stream_id": "f67e39a0a4d34d56b3aa1bc4cff0069f", "subject": { "format": "email", "email": "user at example.com" } } ``` ``` POST /ssf/subjects:add HTTP/1.1 Host: transmitter.example.com Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo= { "stream_id": "f67e39a0a4d34d56b3aa1bc4cff0069f", "subject": { "format": "phone_number", "phone_number": "+12065550100" } } ``` and then a Remove Subject request including the added subjects as aliases is made like below, ``` POST /ssf/subjects:remove HTTP/1.1 Host: transmitter.example.com Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo= { "stream_id": "f67e39a0a4d34d56b3aa1bc4cff0069f", "subject": { "format": "aliases", "identifiers": [ { "format": "email", "email": "user at example.com" }, { "format": "phone_number", "phone_number": "+12065550100" } ] } } ``` how should the transmitter behave? Should events related to the subjects be still delivered via the stream or not? In other words, the question is whether an Add Subject / Remove Subject request with `"format":"aliases"` should be treated as a bulk operation on the subject identifiers listed in the `"identifiers"` array.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20250826/84cff3ed/attachment-0001.htm>
More information about the Openid-specs-risc
mailing list