How to express compound subject identifier such as that of OpenID Connect?

[sakimura]

Just read the spec (https://openid.net/specs/authorization-api-1_0-05.html) quickly, so I probably am missing something, but it appeared to me that there is no mention of a complex identifier.

How do you guys envision connecting/reconciling with the OIDC world?

There can be several ways to achieve it, but I wanted to know what the WG's consensus is now.

Best,

Nat

[tulshi]

Hi Nat, although you are referring to the AuthZEN spec in your issue, I assume the question remains the same regarding reconciling complex subjects in SSF with the OIDC spec. To answer your question, I think the "sub" value in the ID Token, as well as the "email" and "phone_number" values in the UserInfo can be used to form complex subject values in SSF if required. However, we expect the use of complex subjects in SSF to be primarily to "down scope" an event from a broad subject (e.g., email), to a finer definition of the subject (i.e., this session on this device of this user). This is so that a security event doesn't affect all sessions of the user if it is intended only for one of them.