Meaning of the Surrogate Identifier Clause not clear

Issue #20 wontfix
Nat Sakimura created an issue

In DDA, it was using "Surrogate Identity" without defining what is identity. It looks like it meant to be "identifier".

Even then, the meaning of the clause is not clear.

For example, the meaning of

OAuth creates a surrogate identifier for a Login (entity)

is not clear. OAuth does not create an identifier that represents a Login (= user identity). It just represents the access grant. It is a well known security hole to mistake access and refresh tokens with user identity.

If one wants to use them as such, the Client needs to at least verify that:

  1. the token was issued for the client
  2. the token was issued by the intended issuer
  3. the token maps to one user identifier

etc. It will eventually end-up as being semantically equal to (minimum) ID Token.

Also, it seems to be asking for RT and AT to be persistent. Not sure if that is a good idea.

Comments (7)

  1. Anoop Saxena

    • Surrogate identifier is recommended to be sent in place of the PII (personal identifier information) such as bank real account number.

  2. Anoop Saxena


    I know OPENID connect solved the user identity problem ... In OAUTH that was missing so we added a Surrogate identifier "User id" as additional attribute to OAUTH response when tokens are generated for successful login.

    let me know, if we need to review few of open items next week meeting

  3. Nat Sakimura reporter

    Ah, ok, user_id and surrogate identifiers are closely related.

    Then, suggest we close this ticket and continue tracking with #22.

  4. Log in to comment