[Openid-specs-mobile-profile] Fwd: Preliminary minutes of MODRNA WG Call on August 10th 2016

Philippe Clément philippe.clement.ft at gmail.com
Tue Aug 23 09:39:36 UTC 2016


Dear all,



Back from vacations today …

James: regarding the alternative on Account Migration, it seems to me that
this has something to do with the proposal of an alternative flow that I
presented on July 26th on the list (copy below). Could you confirm ?



Best regards,

Philippe







Prerequisite:

1-    User had an account on a previous MNO (OP1)

2-    User’s account on OP1 is closed

3-    User has an account on a new MNO (OP2)

4-    Eventually, OP1 knows that user has migrated to OP2

5-    RP knows former MNO (OP1)

Use Case:

6-    User visits his usual RP and starts authentication to access the
service

7-    RP starts the OIDC flow with OP1 with usual secured hints regarding
the user

8-    OP1 answer’s with an error code “account migrated” and sends back to
the RP all the necessary subject values. If OP1 knows what OP user has
migrated to, it is inserted in the answer

9-    RP interacts with the user to get his new OP (discovery process),
unless RP already knows what OP user has migrated to.

10- RP starts the authentication process with OP2

11- According to the success of authentication on OP2, RP migrates subject
values for his RP’s account



This Use case would take place in one shot, at the moment where user needs
to authenticate at RP to get the service, so it would be very efficient in
terms of migration

It minimizes the situation of cascading OPs

It avoids to install a dialog between OP1 and OP2 and privacy concerns
regarding transfer of personal information from OP1 to OP2.

Then it avoids some situations where user will not start the migration
process by accessing a specific service to be developped on OP2.

It avoids limitations in Authorization Grant lifetime.





*De :* Openid-specs-mobile-profile [mailto:openid-specs-mobile-
profile-bounces at lists.openid.net] *De la part de*
Torsten.Lodderstedt at telekom.de
*Envoyé :* jeudi 11 août 2016 12:16
*À :* openid-specs-mobile-profile at lists.openid.net
*Objet :* [Openid-specs-mobile-profile] Preliminary minutes of MODRNA WG
Call on August 10th 2016



Hi all,



please find below the draft of the WG Call minutes.



Best regards,

Torsten.



Participants: John Bradley, Venkatasivakumar Boyalakuntla (Siva), James
Manger, Bjorn Hjelm, Florian Walter, Jörg Connotte, Nat Sakimura, Gonzalo
Fernandez Rodriguez, Ijaz Khan, Torsten Lodderstedt



Status of our high-prio drafts:

1.       Server-initiated authentication

·         Gonzalo and Florian presented the first draft (
https://bitbucket.org/openid/mobile/raw/75ca37860ae1fe90b085d32ad88507
e82e2f374f/draft-mobile-server-initiation-01.txt)

·         All WG members are asked to review it and give feedback on the
list

2.       Account migration

·         James Manger explained an alternative proposal for handling of
migration data. The basic idea is to instead of transferring it via a
signed JWT, the old OP exposes an endpoint where the RP can directly call
and determine whether and where a particular account has been migrated to

·         The RP should be able to authenticate with the old OP since it is
a RP of this OP as well (since it uses the old OP for logins)

·         pro: no issue regarding signing key expiration

·         James will post a more detailed description on the list so we can
have a discussion of which way to go

3.       Attributes UserInfo/PremiumInfo

- Siva presented current list

- WG members gave feedback and advice on how to incorporate Mobile Connect
specific claims into OIDC (UserInfo and ID Token) by constructing collision
resistant claim names

- Siva takes this back to CPAS



Status Workshop

·         Eventbrite event has been set up and will be distributed soon

·         No further information on location and logistics since Philippe
did not attend the call







*Deutsche Telekom AG*

Group *Innovation**+* / Products & Innovation

Dr.-Ing. Torsten Lodderstedt

Leiter Enabling Platforms / Technology

T-Online Allee 1, 64295 Darmstadt, Germany

+49 6151 5837619  (Phone)

E-Mail: torsten.lodderstedt at telekom.de <t.lodderstedt at telekom.de>

www.telekom.com



*Life is for sharing.*



You can find the obligatory information on www.telekom.com/compulsory-
statement



*Big changes start small – conserve resources by not printing every e-mail.*







_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez
recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les
messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere,
deforme ou falsifie. Merci.

This message and its attachments may contain confidential or
privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and
delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have
been modified, changed or falsified.
Thank you.



---------- Message transféré ----------
From: <philippe.clement at orange.com>
To: "Torsten.Lodderstedt at telekom.de" <Torsten.Lodderstedt at telekom.de>, "
openid-specs-mobile-profile at lists.openid.net" <
openid-specs-mobile-profile at lists.openid.net>
Cc: "philippe.clement.ft at gmail.com" <philippe.clement.ft at gmail.com>
Date: Tue, 26 Jul 2016 13:48:00 +0000
Subject: RE: New Version of Account Migration Draft

Hi Torsten,



Thank you for this very valuable document.



By reading the set of 2 phases, I was wondering if we could add a scenario
combining these 2 ones.

In this scenario, we could have:



Prerequisite:

1-    User had an account on a previous MNO (OP1)

2-    User’s account on OP1 is closed

3-    User has an account on a new MNO (OP2)

4-    Eventually, OP1 knows that user has migrated to OP2

5-    RP knows former MNO (OP1)

Use Case:

6-    User visits his usual RP and starts authentication to access the
service

7-    RP starts the OIDC flow with OP1 with usual secured hints regarding
the user

8-    OP1 answer’s with an error code “account migrated” and sends back to
the RP all the necessary subject values. If OP1 knows what OP user has
migrated to, it is inserted in the answer

9-    RP interacts with the user to get his new OP (discovery process),
unless RP already knows what OP user has migrated to.

10- RP starts the authentication process with OP2

11- According to the success of authentication on OP2, RP migrates subject
values for his RP’s account



This Use case would take place in one shot, at the moment where user needs
to authenticate at RP to get the service, so it would be very efficient in
terms of migration

It minimizes the situation of cascading OPs

It avoids to install a dialog between OP1 and OP2 and privacy concerns
regarding transfer of personal information from OP1 to OP2.

Then it avoids some situations where user will not start the migration
process by accessing a specific service to be developped on OP2.

It avoids limitations in Authorization Grant lifetime.



I could have missed something important, and so I’m looking forward to any
feedback from the list



Kind regards,

Philippe



*De :* Openid-specs-mobile-profile [mailto:openid-specs-mobile-
profile-bounces at lists.openid.net] *De la part de*
Torsten.Lodderstedt at telekom.de
*Envoyé :* mardi 19 juillet 2016 13:30
*À :* openid-specs-mobile-profile at lists.openid.net
*Objet :* [Openid-specs-mobile-profile] New Version of Account Migration
Draft



Hi all,



I just published -01 of the account migration draft at openid.net (
http://openid.net/wordpress-content/uploads/2014/04/draft-
account-migration-01.html). The source code can be found in our Bitbucket
repo.



This is a significant rewrite of the specification based on your valuable
feedback. Thank you! Although I tried to incorporate all review comments,
please bear with me if I missed a comment. Please let me know, so I can
incorporate it in the next revision.



I applied the following changes to the document:



·         reorganized the draft

·         extended introduction and overview

·         stated scope of the draft and what is currently out of scope

·         changed terminology from porting to migration

·         changed migration data structure to be different from an id token

·         cleaned up references

·         added initial security considerations



Please post your feedback to the list.



best regards,

Torsten.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160823/02a8bc33/attachment-0001.html>
-------------- next part --------------
An embedded message was scrubbed...
From: unknown sender
Subject: no subject
Date: no date
Size: 38951
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160823/02a8bc33/attachment-0001.mht>


More information about the Openid-specs-mobile-profile mailing list