Ctrl+K

User IDs#

How to identify users, people, and accounts within Feide.

Feide with OIDC/OAuth is not limited to a single kind of user identifier. Each user record is issued a unique, opaque user identifier and a set of secondary user IDs.

Subject identifier - The main OIDC user identifier#

The subject identifier is generated the first time a user logs in with Feide using OpenID Connect. The identifier is in UUID format and is opaque, thus not revealing any additional information about the user. It is intended to be long-term and survive mergers of schools and universities.

Note that a user who has not logged in with OIDC yet will not have a subject identifier, but other user identifiers may still be available.

It is available as the claim sub:

{
    "sub": "7b96eab9-b69e-4b8c-9636-1da868207864"
}

Other user IDs#

Feide can handle secondary user IDs in different namespaces. For example, Feide handles both national identity numbers and Feide IDs.

One user may have several secondary user IDs, even of the same type (i.e., same namespace). It is important that application developers take this into account when implementing applications.

Feide identifier#

If the application is granted the userid-feide attribute group, it can access the Feide ID of the user. It is available as the claim https://n.feide.no/claims/eduPersonPrincipalName:

{
    "sub": "7b96eab9-b69e-4b8c-9636-1da868207864",
    "https://n.feide.no/claims/eduPersonPrincipalName": "feide:en.bruker@sikt.no"
}

National identity number#

If the application is granted the userid-nin attribute group, it can access the national identity number if it is available for the user. The claim is https://n.feide.no/claims/nin:

{
    "sub": "7b96eab9-b69e-4b8c-9636-1da868207864",
    "https://n.feide.no/claims/nin": "10108012345"
}

Multiple secondary user IDs#

If the application is granted one or more attribute groups that provide secondary user IDs, the claim https://n.feide.no/claims/userid_sec will contain all secondary user IDs available for the user in the following format: <namespace>:<identifier>.

{
    "sub": "7b96eab9-b69e-4b8c-9636-1da868207864",
    "https://n.feide.no/claims/userid_sec": [
        "nin:10108012345",
        "feide:en.bruker@sikt.no"
    ]
}

Merged primary keys#

If two user records are merged in Feide for OIDC/OAuth, one entry will be removed and all user IDs from this record will be copied into the primary record. The primary key of the removed record will be added as a secondary historical key to the primary record.

Applications that obtain the primary user ID from Feide will always also get access to historical primary keys like this:

{
    "sub": "7b96eab9-b69e-4b8c-9636-1da868207864",
    "https://n.feide.no/claims/userid_sec": [
        "uuid:0723bd04-9731-48c2-86e4-2159abd0e85f"
    ]
}
On this page