Comment by arnarbi
4 days ago
> They are (or were) refusing to provide any indication to those other companies that these are not, in fact, the same people
That is not quite true, the sub field will be different.
4 days ago
> They are (or were) refusing to provide any indication to those other companies that these are not, in fact, the same people
That is not quite true, the sub field will be different.
But authors does imply that sub will also change in place for users in step #1, without the workspace beeing recreated. And as such the sub is not usable as a general identifier for the user resource differentiation.
The sub property appearing to change for the same email address is a valid scenario. SPs failing to respect that scenario because they don't understand it, or because it's not what some of their users want, is not a valid excuse.
https://support.google.com/a/answer/33314?hl=en&co=DASHER._F...
To me it is reasonable that orgs may want to eventually reuse an email address on a different user account. That's a feature decision made by the IdP so SPs need to respect it. I believe other IdPs like Okta and Entra have equivalent features too.
> To me it is reasonable that orgs may want to eventually reuse an email address on a different user account. That's a feature decision made by the IdP so SPs need to respect it
I think everyone, including the authors hopefully agrees with that logic and sentiment. And that would be the literal point of the sub claim after all!
But the implication in the article is still, as i read it, that it changes in place in practice, and not in the case of re-creating the user under the same workspace. But i obviously do not have the background to clarify!
This is not necessarily useful. The sub field only indicates that this is a different user, which maybe protects the private info of the old user. However, a big part of OIDC integration is to automatically allow any valid user registered with the IdP to automatically have access to the corporate account, and to any company-wide resources, which can still include very sensitive information.
If by "same people" you mean recognizing a specific user, yes the sub field changes.
If by "same people" you mean being able to tell whether a new user is part of the same organization, the sub field is useless and no other field has this information either.