[Openid-specs-mobile-profile] account migration request RE: New Version of Account Migration Draft

Torsten.Lodderstedt at telekom.de Torsten.Lodderstedt at telekom.de
Tue Aug 2 12:12:28 UTC 2016


For what purpose? That's a simple POST request.

Von: Nennker, Axel
Gesendet: Dienstag, 2. August 2016 12:58
An: Lodderstedt, Torsten; openid-specs-mobile-profile at lists.openid.net
Betreff: account migration request RE: New Version of Account Migration Draft

I think that http://openid.net/wordpress-content/uploads/2016/08/draft-account-migration-01.html#rfc.section.3.2 should have a request parameter object that contains something like state and/or request_id etc which is returned unchanged in the account migration response.

-Axel


From: Lodderstedt, Torsten
Sent: Tuesday, August 02, 2016 9:19 AM
To: Nennker, Axel; openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Subject: AW: New Version of Account Migration Draft

Hi Axel,

see inline.

best regards,
Torsten.
Von: Nennker, Axel
Gesendet: Freitag, 29. Juli 2016 18:04
An: Lodderstedt, Torsten; openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Betreff: RE: New Version of Account Migration Draft

Hi,

I would change "The RP first validates the digital signature of the migration data JWT. It therefore looks up the old OP's openid configuration as defined in [OpenID.Discovery]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#OpenID.Discovery> using the "iss" sub claim of the claim "from" and uses it to obtains the location of the old OP's JSON Web Key Set [RFC7517]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#RFC7517>) (containing the respective public keys of the OP)."
To
"The RP MUST first validate the digital signature of the migration data JWT. It therefore looks up the old OP's openid configuration as defined in [OpenID.Discovery]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#OpenID.Discovery> using the "iss" sub claim of the claim "from" and uses it to obtains the location of the old OP's JSON Web Key Set [RFC7517]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#RFC7517>) (containing the respective public keys of the OP)."

TL: DONE

Furthermore I would like to suggest to remove the jwks example because how the signature validation is done is not really important to Account Migration.
The text I would remove is below.

TL: I thought this text would be helpful for readers. What do other WG members think?

Cheers
Axel

For example, given the issuer URL https://op.mno1.com, the new OP would obtain the following OpenID configuration of the old OP from https://op.mno1.com/.well-known/openid-configuration (line breaks are for display purposes only):
HTTP/1.1 200 OK
Content-Type: application/json
{
  "issuer": "https://op.mno1.com",
  "jwks_uri": "https://op.mno1.com/jwks.json",
...
}
It then loads the public keys material, which could for example look like this (line breaks for are for display purposes only):

{
"keys": [
  {
   "kty": "RSA",
   "alg": "RS256",
   "use": "sig",
   "kid": "b040ea9e48fec8dfd6a8859b07553dee18f19636",
   "n": "zewQFS4tqHaofLLOTfliLO3gb1WnmjMYrPlVHPNdJc7WTVO5iuSVV1j5bYH0IvuoikdnBUzV0hjZiEg
   OQVETlCLtXNbi7R54NjaUOSuSBFclNtf8mMXqyB3lz7hfDUPPctdXeOsl-xcfUAvqyVkfEw9FuitB0fsP3zoq
   OEWa_7Kg8F7clSsz_g0fydT63qa1RyOraoF4SvisjyUWNVPsNmSCznQ1dd64y9HbX1ywkbtfqIzEcX--8ToGo
   V9dgBB5VJCGem89TkBv25LzdLIoHgy0YfyXOsmPMf2cDr6eZSiZl53TjL2O8VzMF3J5T7_sFkyruGDf1GoK3a
   lNT5D4YQ",
   "e": "AQAB"
  },
  {
   "kty": "RSA",
   "alg": "RS256",
   "use": "sig",
   "kid": "fc33f33a95ce227b9956398788a49ca83bea7bf5",
   "n": "qMW-G5XetV6bfJ4i6yWLLukttyLAoT3Fw3qz6sqqwRnvuS_StqAnVs7A5fWavcR3_AZimy1fJf9Gz9w
   GS7xtAy_tClHUq3O8Mdixjifl3y0wcIEQpyrAc248ffiha_1YPQWzJvny03H8Pr2ZgOzJlc03A1T9We6z0-R9
   zhL-wXKSpmbv-ZqbCPw7kWLUmb7OpOKPMxOyWMXHIzDEkJLXIATbekOGaltFrgJVjdXihQdYGD5vVtfJQEw2n
   B_k_CPjRmMxixhsuNk3s_3V02CdcZZul_Fs4q3uvEk6iXZQviBmPztGR2fpPJ1RlhnvP4jUl8bVi7mA5_Mpft
   c41tTUJQ",
   "e": "AQAB"
  }
]
}
Note: the appropriate key required for a particular migration data JWT is identified by the key identifier (kid).



From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Lodderstedt, Torsten
Sent: Tuesday, July 19, 2016 1:30 PM
To: openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Subject: [Openid-specs-mobile-profile] New Version of Account Migration Draft

Hi all,

I just published -01 of the account migration draft at openid.net (http://openid.net/wordpress-content/uploads/2014/04/draft-account-migration-01.html). The source code can be found in our Bitbucket repo.

This is a significant rewrite of the specification based on your valuable feedback. Thank you! Although I tried to incorporate all review comments, please bear with me if I missed a comment. Please let me know, so I can incorporate it in the next revision.

I applied the following changes to the document:

*         reorganized the draft
*         extended introduction and overview
*         stated scope of the draft and what is currently out of scope
*         changed terminology from porting to migration
*         changed migration data structure to be different from an id token
*         cleaned up references
*         added initial security considerations

Please post your feedback to the list.

best regards,
Torsten.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160802/0c9092c3/attachment-0001.html>


More information about the Openid-specs-mobile-profile mailing list