Description
voPersonID is defined as a multi-valued attribute in the voPerson 2.0 specification.
Returning the voperson_id claim in an array would align with the specification, however the following points needs to be clarified:
- We need to determine how relying parties should handle multiple
voperson_idvalues. Should they identify users by matching any Community User Identifier value in the array? - Given that the
subclaim is a single-valued string, we need to clarify thatsubshould be treated as a technical identifier that may or may not convey the Community User Identifier (CUID).
Additionally, it's important to consider that the support for multiple values in the voPersonID definition may be to allow expressing non-current identifiers using the prior option in LDAP. We could explore adapting the prior option in OIDC with a complex object denoting (the single?) current identifier and any prior identifiers. Alternatively, we could introduce a new multi-valued claim specifically for prior identifiers. This approach would also work for legacy SAML SPs by avoiding the need to define complex SAML attribute value types but on the other hand it would require standardising a new attribute/claim name.