Comment 1 for bug 1814563

This is effectively an API guarantee which we ought to make to avoid inadvertently breaking other services that integrate with SSO.

While we're here, we should document the third-party caveat ID requirements (encryption, padding, etc.).