Originally submitted by Nat (Nat Sakimura) on 2026-04-09
RP needs to trust that the JWTs from the Claims Provider that are included in the ID Token from the OP are about the sub in the ID Token.
The potential trust model is such that the ecosystem holds the OP as a trusted entity that adheres to the following provisions:
The OP
- MUST bind the UserInfo access token obtained from the CP to the account of the OP that started the authentication request to the CP;
- MUST NOT use the access token for any other accounts of the OP; and
- MUST make a statement about it to the RP.
The statement
- MAY be made out-of-band in the ecosystem or as a policy statement on its website, but
- SHOULD be done with the OP discovery metadata
claim_types_supported value set to aggregated.
This was initially discussed on the 2026-04-09 Call, and some attendees expressed that this could be a reasonable model.
Bitbucket status: new
Bitbucket origin: issue 2189
RP needs to trust that the JWTs from the Claims Provider that are included in the ID Token from the OP are about the
subin the ID Token.The potential trust model is such that the ecosystem holds the OP as a trusted entity that adheres to the following provisions:
The OP
The statement
claim_types_supportedvalue set toaggregated.This was initially discussed on the 2026-04-09 Call, and some attendees expressed that this could be a reasonable model.
Bitbucket status: new
Bitbucket origin: issue 2189