[Openid-specs-mobile-profile] New Version of Account Migration Draft

Torsten.Lodderstedt at telekom.de Torsten.Lodderstedt at telekom.de
Tue Jul 26 14:17:49 UTC 2016

Hi Philippe,

thanks for your proposal. I basically think it is a good idea if OP1 would indicate the migration to the RP.

Two questions/comments came into my mind instantly:
- how is OP1 supposed to learn/know that the user account was migrated to OP2 and what the ppid was at OP1?
- I would not rely on the unsigned error response from OP1 to tell the RP where the user account was migrated to. This data could be faked by an attacker.

Best regards,

Mit TouchDown von meinem Android-Telefon gesendet (www.symantec.com)

-----Original Message-----
From: philippe.clement at orange.com [philippe.clement at orange.com]
Received: Dienstag, 26 Juli 2016, 15:48
To: Lodderstedt, Torsten [Torsten.Lodderstedt at telekom.de]; openid-specs-mobile-profile at lists.openid.net [openid-specs-mobile-profile at lists.openid.net]
CC: philippe.clement.ft at gmail.com [philippe.clement.ft at gmail.com]
Subject: RE: New Version of Account Migration Draft

Hi Torsten,

Thank you for this very valuable document.

By reading the set of 2 phases, I was wondering if we could add a scenario combining these 2 ones.
In this scenario, we could have:


1-    User had an account on a previous MNO (OP1)

2-    User's account on OP1 is closed

3-    User has an account on a new MNO (OP2)

4-    Eventually, OP1 knows that user has migrated to OP2

5-    RP knows former MNO (OP1)
Use Case:

6-    User visits his usual RP and starts authentication to access the service

7-    RP starts the OIDC flow with OP1 with usual secured hints regarding the user

8-    OP1 answer's with an error code "account migrated" and sends back to the RP all the necessary subject values. If OP1 knows what OP user has migrated to, it is inserted in the answer

9-    RP interacts with the user to get his new OP (discovery process), unless RP already knows what OP user has migrated to.

10- RP starts the authentication process with OP2

11- According to the success of authentication on OP2, RP migrates subject values for his RP's account

This Use case would take place in one shot, at the moment where user needs to authenticate at RP to get the service, so it would be very efficient in terms of migration
It minimizes the situation of cascading OPs
It avoids to install a dialog between OP1 and OP2 and privacy concerns regarding transfer of personal information from OP1 to OP2.
Then it avoids some situations where user will not start the migration process by accessing a specific service to be developped on OP2.
It avoids limitations in Authorization Grant lifetime.

I could have missed something important, and so I'm looking forward to any feedback from the list

Kind regards,

De : Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] De la part de Torsten.Lodderstedt at telekom.de
Envoyé : mardi 19 juillet 2016 13:30
À : openid-specs-mobile-profile at lists.openid.net
Objet : [Openid-specs-mobile-profile] New Version of Account Migration Draft

Hi all,

I just published -01 of the account migration draft at openid.net (http://openid.net/wordpress-content/uploads/2014/04/draft-account-migration-01.html). The source code can be found in our Bitbucket repo.

This is a significant rewrite of the specification based on your valuable feedback. Thank you! Although I tried to incorporate all review comments, please bear with me if I missed a comment. Please let me know, so I can incorporate it in the next revision.

I applied the following changes to the document:

·         reorganized the draft
·         extended introduction and overview
·         stated scope of the draft and what is currently out of scope
·         changed terminology from porting to migration
·         changed migration data structure to be different from an id token
·         cleaned up references
·         added initial security considerations

Please post your feedback to the list.

best regards,


Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160726/9a02d117/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list