[Openid-specs-mobile-profile] Account Migration: revoking porting_data

Manger, James James.H.Manger at team.telstra.com
Fri Jun 17 01:36:59 UTC 2016

draft-account-migration-00 introduces porting_data as a signed JWT. It is a long-term signature as it is verified by an RP when the user next visits them after porting to a new OP, which might be weeks, months, or even a year later (for a service you use annually). Such a long-term signature needs a revocation mechanism, but there is not such mechanism for JWTs. I don’t think OpenID Connect has any other long-term JWS signatures. It can have long-term tokens, though the core spec says the AS SHOULD provide a mechanism for the end-user to revoke those.

Removing the porting_data signature verification key from jwks_uri effectively revokes all porting_data (for multiple users, RPs, and OPs) so that doesn't seem suitable. Using separate signature verification keys for different users/RPs/OPs might be theoretically possible but doesn't feel practical (jwks_uri would become huge, for instance).

Perhaps we would be better off ditching the JWT and defining an API offered by the old OP at which an RP can confirm a port. That is, define porting_verify_endpoint, in addition to porting_info_endpoint [aka migration_info_endpoint]. The porting data in an id_token would be an old {sub, iss} pair.

There is a risk an RP would use the old sub/iss without verifying it. We could able to avoid that by putting "porting_data":{token, old_iss} in the id_token and the RP only gets the old sub in the response from the porting_verify_endpoint call.

James Manger

More information about the Openid-specs-mobile-profile mailing list