Archived 2023.01.11. Content moved to CDS Guide, ID Permanence
Question
The sub
claim in an OIDC openid scope identifies the subject. In a business context, the Data Standards Body (DSB) has stated that the sub
should be the nominated representative of the organisation: the end user that established consent, who has delegated authority to share data on behalf of the consumer organisation.
The sub
plays an important role for the Accredited Data Recipient (ADR). It is the only permanent identity that the ADR can use to identify the owner of accounts associated to the consent.
Because of ID Permanence rules, when different users consent to the sharing of the same account, the account IDs are actually different. The sub
values for the different users are also different. Consequently, the Accredited Data Recipient (ADR) cannot determine that the consents refer to the same account.
When a user leaves an organisation, the consent authorised by that user is no longer valid. The rules regarding deletion and de-identification of CDR data then apply. Other users remaining with the organisation may have given consent for the same account to be shared, but the ADR cannot determine that. CDR data has to be deleted and the organisation has to provide consent again.
The same applies when a consent expires, and the user who authorised it is not available to renew it.
This issue could lead to irretrievable loss of data held by the ADR on behalf of the organisation.
Would it be more appropriate for the sub
to identify the organisation?
Answer
The difficulties are well stated above. However, there is a problem with the proposed solution: that the sub
identifies the organisation. The proposed solution works only if the ADR is aware that the sharing is for an organisation. However, the ADR may not be aware of this.
The ADR might make the connection if the login profile on the ADR side is also a business account for multiple agents.
However, a user may log in to their account with an ADR using their own credentials. They then share data as an agent of an organisation. When they leave the organisation, they retain their account with the ADR. but no longer act as an agent of the organisation.
The identity as defined by the ADR, and the identity as defined by the Data Holder (DH), are not guaranteed to align.
With these considerations, the DSB stands by our original advice regarding the sub
claim. However, we leave the final decision on this matter to the discretion of the implementer, and to the competitive space.
See:
- OpenID Connect Core 1.0
- CDS Security Profile, Client Authentication
- CDS ID Permanence
- CDR Rules, Main section, Part 1, Division 1.4, Subdivision 1.4.5 Deletion and de‑identification of CDR data,
Comments
0 comments
Please sign in to leave a comment.