[Openid-specs-mobile-profile] Account Migration - porting_data with new 'sub', and not looking like id_token

Manger, James James.H.Manger at team.telstra.com
Wed Jun 15 08:05:58 UTC 2016

>> The "porting_data" looks like an id_token from the old OP. In fact, it might even be accepted as an id_token by some RPs

"porting_data" in draft-00 doesn’t include an "aud" (audience) claim. That might almost be sufficient to prevent OIDC clients being tricked into thinking it is an id_token since OpenID Connect Core 1.0 § "ID Token Validation" step 3 says "The Client MUST validate that the aud (audience) Claim contains its client_id".

Mind you, perhaps "porting_data" should have "aud" as well. That is akward though as client_ids are OP-specific. "sector_id" (and "migrated_to") is effectively the audience for "porting_data".

James Manger

More information about the Openid-specs-mobile-profile mailing list