Hi Warren, Thanks for your thoughts. You’re right, most IdPs don’t currently support multiple emails, so there aren’t many examples today beyond GitHub.
This draft is more about preparing for possible future support and improving user experience where users already expect to manage multiple emails under one account. I agree the OpenID list is the right place to continue the discussion. Best, Salim On Thu, 18 Sept 2025, 12:47 Warren Parad, <wpa...@rhosys.ch> wrote: > Agreed with the OpenID list being a better place to discuss exposure to > multiple emails. The part I'm still missing for this is where is the > interoperability? Most IdPs don't support multiple emails today, which > means we aren't trying to standardize on something that is already > happening, but rather a hypothetical future which might never happen. Can > you share which exact IdPs, besides GitHub, support multiple email > addresses/identity linking in the first place? (And of course GitHub > doesn't support identity linking, so it also isn't a good example, right?) > > On Thu, Sep 18, 2025 at 12:44 PM Salim BOU ARAM <bouaram.sa...@gmail.com> > wrote: > >> Hi Thomas, >> >> Thank you for the feedback and for pointing me to the OpenID list — I’ll >> take the discussion there as suggested. >> >> To clarify your question: the “auth secondary 1/N” in the schema means >> that the user can authenticate multiple secondary email accounts they want >> to link. The number of accounts (N) is defined and controlled by the IdP’s >> policy. >> >> I also understand your point about sub being the proper identifier in >> OIDC. My draft focuses on providing a standard way for IdPs to expose >> secondary emails when they already support them internally, so relying >> applications don’t have to handle this differently across providers. >> >> Thanks again for your comments. >> >> Best, >> >> Salim-Amine >> >> On Thu, 18 Sept 2025, 12:35 Thomas Broyer, <t.bro...@gmail.com> wrote: >> >>> Hi, >>> >>> This should probably rather be discussed at the OpenID : >>> https://lists.openid.net/mailman/listinfo/openid-specs-ab >>> >>> Fwiw, I don't understand the "auth secondary 1/N" in the schema, and the >>> "account resolution". >>> >>> It looks like you're trying to solve a problem that some RPs might have >>> by using the email address as an identifier instead of the "sub", so now >>> there's a need to "migrate" that identifier to another value when the user >>> changes their email address. But that's a misuse of OIDC by the RP, that >>> can and should be solved on the RP side. >>> >>> The email address in OIDC is only that: an information of how to contact >>> that user by mail, and certainly not an identifier for that user (that's >>> what the "sub" is for) >>> >>> On Thu, Sep 18, 2025 at 12:14 PM Salim BOU ARAM <bouaram.sa...@gmail.com> >>> wrote: >>> >>>> Dear all, >>>> >>>> I’ve published a draft: *OpenID Connect Email Account Linking >>>> Extension >>>> <https://datatracker.ietf.org/doc/draft-bouaram-oidc-email-linking-extension/00/>* >>>> It extends the email scope to support linking multiple addresses under >>>> the same IdP. >>>> >>>> The draft is still early and needs enhancements, which I’d be glad to >>>> work on if there’s community interest. >>>> >>>> Feedback and collaboration would be very welcome. >>>> >>>> Best, >>>> >>>> Salim >>>> >>>> _______________________________________________ >>>> OAuth mailing list -- oauth@ietf.org >>>> To unsubscribe send an email to oauth-le...@ietf.org >>>> >>> >>> >>> -- >>> Thomas Broyer >>> /tɔ.ma.bʁwa.je/ >>> <https://ipa-reader.com/?text=t%C9%94.ma.b%CA%81wa.je&voice=Mathieu> >>> >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-le...@ietf.org >> >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
