Skip to content

Adding Rationals and example use-cases #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Nov 13, 2025
Merged

Adding Rationals and example use-cases #1

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
05f1a38
Update openid-connect-ephemeral-subject-identifier-1_0.md
sakimura Sep 29, 2025
cc4c1de
Update openid-connect-ephemeral-subject-identifier-1_0.md
sakimura Oct 20, 2025
2764a3d
Update document with rationale and new reference
sakimura Oct 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions openid-connect-ephemeral-subject-identifier-1_0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,13 @@ The OpenID Foundation (OIDF) promotes, protects and nurtures the OpenID communit
{mainmatter}

# Introduction
This document specifies an ephemeral subject identifier type for [OpenID Connect Core 1.0][OIDC]. The ephemeral subject identifier identifies the End-User for a short time and remains constant for the duration of the authentication session. In subsequent visits by the End-User to a Relying Party application that requires authentication, the authorization server will return a subject identifier with a different value. The authorization server provides an ephemeral subject identifier to the Relying Party in the ID Token and UserInfo endpoint response as specified by [OpenID Connect Core 1.0][OIDC].
This document specifies an ephemeral subject identifier type for [OpenID Connect Core 1.0][OIDC]. The ephemeral subject identifier identifies the End-User for a short time and remains constant for the duration of the authentication session. In subsequent visits by the End-User to a Relying Party application that requires authentication, the authorization server will return a subject identifier with a different value. The authorization server provides an ephemeral subject identifier to the Relying Party in the ID Token and UserInfo endpoint response as specified by [OpenID Connect Core 1.0][OIDC].

There are several reasons for defining it:
* It is already used in some ecosystems. Standardizing it would therefore reduce existing variations;
* It is a condition needed to mathematically prove that OIDC/SIOP fulfills the Unlinkability Level (UL) 3A+ defined in ISO/IEC 27551 Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication.

Examples of attribute-based unlinkable entity authentication include Overage verification, Underage verification, Registered domicile verification, etc.


# Requirements Notation and Conventions
Expand Down Expand Up @@ -130,6 +136,10 @@ The following referenced documents are indispensable for the application of this
[OpenID.Registration] - OpenID Connect Registration 1.0
[OpenID.Registration]: http://openid.net/specs/openid-connect-registration-1_0.html

## Informative references

[ISO/IEC 27551] - Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication
[ISO/IEC 27551]: https://www.iso.org/standard/72018.html

{backmatter}

Expand All @@ -151,6 +161,6 @@ The technology described in this specification was made available from contribut

[[ To be removed from the final specification ]]

-01
-01 Added rationale for this document and a reference to ISO/IEC 27551.

* initial revision