Add aud_sub claim and clarify tenant claim opacity

dickhardt · dickhardt · commit 706d40a5d495 · 2025-08-15T10:35:01.000+01:00
- Add new aud_sub claim for RP account identifier
- Clarify that tenant claim values should be opaque to the RP
- Specify that OP account and RP account linking is out of scope for aud_sub
diff --git a/openid-connect-enterprise-extensions-1_0.md b/openid-connect-enterprise-extensions-1_0.md
@@ -81,7 +81,11 @@ The `session_expiry` claim is a JSON integer that represents the Unix timestamp
 
 ## tenant
 
-The `tenant` claim is an opaque JSON string that represents a tenant identifier and MAY have the value `personal`, `organization` or a stable OP unique value for multi-tenant OPs. The `personal` value is reserved for when Accounts are managed by individuals. The `organization` value is reserved for Accounts managed by an organization.
+The `tenant` claim is a JSON string that represents a tenant identifier and MAY have the value `personal`, `organization` or a stable, opaque to the RP, OP unique value for multi-tenant OPs. The `personal` value is reserved for when Accounts are managed by individuals. The `organization` value is reserved for Accounts managed by an organization.
+
+## aud_sub
+
+The `aud_sub` claim is an opaque JSON string that represents the identifier the RP has for the account. How the OP acquires the `aud_sub` and how the OP account and RP account linking is out of scope.
 
 
 # Authentication Request Parameters
