]> OpenID Connect Email Account Linking Extension
Beirut LB Lebanon salimbouaram12@gmail.com
This document extends OpenID Connect's standard email functionality to support secure linking between multiple email accounts. It enables users to associate secondary email addresses with their primary account while maintaining backward compatibility with existing implementations. The extension provides methods for establishing, managing, and utilizing these relationships within the OpenID Connect email scope.
Core Concepts The extension operates on these fundamental principles:
  1. Primary Account: The initial identity that controls all linked accounts
  2. Secondary Accounts: Additional email identities linked to the primary
  3. Temporal Validity: Linkages expire after a defined period
  4. Account Resolution: Secondary logins resolve to the primary identity
Protocol Parameters Parameters
Parameter Location Description
linking Authorization Request boolean (true/false), initiates linking flow when true
linking_period Authorization Request number (seconds), validity duration (default: 2592000)
Protocol Flows
Linking Flow Complete sequence for establishing account linkages: | | | | Primary Auth | | |------------------>| | | | | | Show Linking | | | Consent Screen | | | (where user adds | | | or | | | selects email | | | accounts) | | |------------------>| | | (1-N secondary | | | accounts based | | | on IdP policy | | | and allowed N | | | Secondaries) | | |<------------------| | | Auth Secondary 1| | |<----------------- | | | Auth Secondary N | | |<------------------| | | | | IDP/STS stores Linkages | | | | | ID Token with | | | linking claims: | | | - primary_email | | | - secondary_emails[N] | | | - expires_at | | |<-----------------| |]]> 1. Client initiates with parameters: 2. IdP authenticates primary account, the account should be primary or normal (not linked) email account 3. User authenticates 1-N secondary accounts (IdP-defined limit) 4. IdP stores linkages with desired expiration timestamp 5. IdP returns ID token containing:
Unlinking Flow Unlinking occurs through the standard linking interface when initiated by primary accounts: | | | | Primary Auth | | |------------------>| | | | | | Show Linking | | | Consent Screen | | | with "Unlink All" | | | option only | | |------------------>| | | User confirms | | | "Unlink All" | | |<------------------| | | | | ID Token with | | | standard claims | | |<------------------| |]]> 1. User authenticates with primary account credentials 2. IdP displays linking consent screen with:
  • List of currently linked accounts
  • Single "Unlink All" option
  • No account selection options
3. User confirms by clicking "Unlink All" 4. IdP completely removes all linkages 5. Standard ID token returned with empty linkage:
Secondary Account Authentication When authenticating with an email account that is linked to a primary account: 1. Client initiates standard OIDC authentication: 2. IdP/STS performs normal authentication flow 3. After successful authentication, system checks for account linkages 4. For secondary accounts, ID token contains: Applications must process the token as follows:
  • Use primary_email as the canonical user identifier
  • Verify expires_at is in the future
  • Treat permissions/access identical to primary account login
  • Include secondary email in audit logs only
Security Considerations Key security requirements:
  1. Authentication Requirements:
    • All accounts must complete full authentication during linking
    • Secondary accounts cannot initiate linking/unlinking
  2. Token Validation:
    • Linking expiry must always be validated
  3. Account Resolution:
    • Always resolve secondary logins to primary email account
  4. Audit Logging:
    • Log all linking/unlinking events
    • Record both primary and secondary emails in logs
IANA Considerations This document has no IANA actions.