[Openid-specs-mobile-profile] Issue #48: Account Portability (openid/mobile)

Torsten Lodderstedt issues-reply at bitbucket.org
Fri May 27 08:49:57 UTC 2016

New issue 48: Account Portability

Torsten Lodderstedt:

* Current concept forces RPs to ignore “iss” claim and select user accounts based on “sub” claim only. This creates a huge security risk since ANY IDP in an ecosystem (like Mobile Connect) can assert identities of any other attached IDP! It violates the fundamental OpenID concept of scoped userid (authority). 
* Note: Microsoft Office 365 recently experienced a similar vulnerability - http://www.economyofmechanism.com/office365-authbypass.html
* Vulnerability can be utilized within MC as well as in general OIDC use cases – It needs to be addressed immediately 
* MODRNA proposal: stick to OpenID concept of scoped identity for Mobile Connect Release 2 and adopt different concept for account portability, MODRNA will support development of alternative design

* First ideas for the alternative design for account portability:
**	migrate scoped user ids using a protocol similar to OpenID 2.0 migration protocol (http://openid.net/specs/openid-connect-migration-1_0.html)
**	old MNO issues id tokens containing old sub (PCR) along with destination MNOs issuer URL -> used by destination MNO to prove migration of PCR from old MNO (old authority)
**	new MNO associates new account with old profile data
**	new MNO responds to login requests with old and new profile data (along with assertion issued by old MNO)
**	sector identifier or host name is used to identify existing clients (as old and new client id differ!)

More information about the Openid-specs-mobile-profile mailing list