account resolution :: managed_by, manage command, and aud_sub #25
Description
It is common for an app to already have users from an organization, and that the organization wants to take over management of those accounts and preserve the current application state. The process for doing that is account resolution, IE how the OP maps an account it understands to an account the RP understands.
The audit_tenant command allows the OP to get all accounts it does manage at the RP, or that the RP thinks it could manage.
By including a property of who manages the account, the OP can then decide if it wants to take over managing the account if it does not already manage the account. The managed_by property can indicate this. (open to other name suggestions!)
The manage command would then be issued by the OP to take over managing the account (can the OP undo this?).
The RP of course does not have a sub claim for accounts it does not manage. The RP provides a new aud_sub claim that is the RP's identifier for the account. The OP can then provide the aud_sub claim in future commands so that the RP receives the RP scoped account identifier aud_sub in addition to the OP scoped sub identifier. The OP would then also provide the aud_sub identifier in ID Tokens.
As a general claim, aud_sub is being defined in OpenID Connect Enterprise Extensions -- see openid/connect-enterprise-extensions#1