OIDC actually already handles this by requiring the `sub` claim to never be re-a... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		brewmarche on Dec 31, 2023 \| parent \| context \| favorite \| on: Email addresses are not good 'permanent' identifie... OIDC actually already handles this by requiring the `sub` claim to never be re-assigned and unique: https://openid.net/specs/openid-connect-core-1_0.html#IDToke... Of course this means that an ID token should not contain an e-mail address under `sub`.

fauigerzigerk on Dec 31, 2023 [–]

So the identity provider could just generate this unchangable ID and let the user link any number of aliases to it, right?

uxp8u61q on Dec 31, 2023 | [–]

That is what TFA suggests, yes.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact