Possibility to use personal id number in sub claim

[martin-lindstrom]

In section 3.2.1.1 of "The Swedish OpenID Connect Profile" it says:

In order to avoid privacy violations an OpenID Provider MUST NOT use an end-user attribute that reveals personal information about the end-user as the value for sub, for example a personal identity number. Even though this information may be available in other token claims, its release should be dependent on requested scopes (or claims) and not be revealed unless explicitly requested (and in some cases consented).

This has proven to be a bit too tough for some local deployments of OIDC, and we should allow any end-user identity attribute to be used in sub as long as the client has requested its corresponding claim (directly, or indirectly using a scope). However, we should still recommend against this.

[nightkr]

Privacy isues aside, wouldn't this also cause problems for people whose PINs change? (Immigrants, trans people, etc.)

[martin-lindstrom]

For consumers of personal identity claims it really does not matter whether you deliver a personal identity number in the sub claim or any other claim. The problem is that most Swedish organizations use a Swedish personal identity number as the prime identity, and they/the user are in trouble if a p-nr changes.

However, we try to be helpful in cases regarding changed personal identity numbers, by introducing the https://id.oidc.se/claim/previousCoordinationNumber claim (see Claims and Scopes Specification for the Swedish OpenID Connect Profile).

Currently, this only addresses the case when a person first has a coordination number and is later given a personal identity number. We should also introduce previousPersonalIdentityNumber.