Yes, the format of OIDC credential identifiers as

provider:subject

is documented in the Ory Kratos documentation. This can be seen in the [Ory Kratos Concepts: Credentials documentation](https://www.ory.sh/docs/kratos/concepts/credentials), which provides an example of OIDC credential identifiers:

yaml credentials:   oidc:     id: oidc     identifiers:       - google:j8kf7a3...       - facebook:83475891...

In this example, we can clearly see that the OIDC credential identifiers are formatted as

provider:subject

, where "google" and "facebook" are the providers, followed by a colon and then the subject identifier. This format is consistent with how Ory Kratos handles social sign-in connections, as described in the [Ory Kratos Import Identities documentation](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#social-sign-in-connections). The documentation states that the

provider

field is the social sign-in provider ID, and the

subject

is the ID of the user on the given platform. It's worth noting that the

subject

is typically the

sub

claim from the OpenID Connect ID Token provided by platforms like Google.

Based on the knowledge sources provided and the previous conversation history, I couldn't find an explicit statement or guarantee about the OIDC credential identifier format being

provider:subject

in the Ory documentation. While the format is demonstrated in examples and implied in the documentation, there doesn't appear to be a clear, formal guarantee or statement that this format will always be used or maintained. The closest reference we have is from the [Ory Kratos Import Identities documentation](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#social-sign-in-connections), which describes the components of the identifier but doesn't explicitly state it as a guaranteed format: "The

provider

field is the social sign-in provider ID you set in your social sign-in configuration. The

subject

ID must be the ID of the user on the given platform. Usually, this is the

sub

claim of the OpenID Connect ID Token provider such as Google." However, it's important to note that without a clear statement of guarantee in the documentation, this format should be treated as a current implementation detail rather than a guaranteed, unchangeable aspect of the system. If you require a formal guarantee for your use case, it would be advisable to reach out to Ory directly for clarification or to request such a guarantee in their documentation.