Ctrl+K

User IDs#

How to identify users, people, and accounts within Feide.

Feide with OIDC/OAuth is not limited to a single kind of user ID. Each user is at least issued a unique, opaque user ID and a user ID determined by the user’s login provider.

Subject identifier - The main OIDC user ID#

The subject identifier is an opaque UUID, which does not reveal any information about the user. It is intended to be long-term and survive mergers of schools and universities.

The subject identifier is generated the first time a user logs in with OpenID Connect (OIDC). For Feide users that have not yet logged in with OIDC, an identifier is generated automatically within a few hours of the account being created. Consequently, recently created Feide users and other users that have not yet logged in with OIDC may not have a subject identifier. In this case, other user IDs will still be available.

The subject identifier is available as the claim sub:

{
    "sub": "7b96eab9-b69e-4b8c-9636-1da868207864"
}

Other user IDs#

A user will always have one other user ID besides the subject identifier. It will be available in its own claim, and which user ID this is depends on the login provider that holds the user account. A Feide ID and national identity number may additionally be exposed through their own dedicated claims.

Namespaced user ID#

Each user has a single namespaced user ID on the format <namespace>:<identifier>. If the corresponding attribute group is granted, the user ID is included in the claim https://n.feide.no/claims/userid_sec. This is a string array with at most one element.

The namespaced user ID mainly serves to link the user identity from the login provider to the account in Feide. As such, the login provider of the user determines which user ID appears in the claim. Below are a few examples that illustrate this:

When Feide is the login provider and the application is granted the userid-feide attribute group, the claim looks like this:

{
    "https://n.feide.no/claims/userid_sec": [
        "feide:olanor@example.org"
    ]
}

When ID-Porten is the login provider and the application is granted the userid-nin attribute group, the claim looks like this:

{
    "https://n.feide.no/claims/userid_sec": [
        "nin:10108012345"
    ]
}

When eduGAIN is the login provider and the application is granted the userid-edugain attribute group, the claim looks like this:

{
    "https://n.feide.no/claims/userid_sec": [
        "edugain:https%2A//some.edugain.idp/entityId:user@some-edugain.org"
    ]
}

Note that the colon (:) in the eduGAIN identifier part is used as a separator. Because of this, any colon (:) or percentage (%) characters used in the distinct parts of the identifier are URL-encoded.

Feide identifier#

If the user has a Feide account and the application is granted the userid-feide attribute group, the Feide ID is exposed through the dedicated claim https://n.feide.no/claims/eduPersonPrincipalName:

{
    "https://n.feide.no/claims/eduPersonPrincipalName": "olanor@example.org"
}

National identity number#

If the national identity number is available and the application is granted the userid-nin attribute group, it is exposed through the dedicated claim https://n.feide.no/claims/nin:

{
    "https://n.feide.no/claims/nin": "10108012345"
}
On this page