[Openid-specs-mobile-profile] Alternative account porting design

Torsten Lodderstedt torsten at lodderstedt.net
Tue Aug 23 15:20:56 UTC 2016

Hi James,

thanks for writing down your proposal.

One question directly popped up in my mind: Why does the old OP issue 
per RP/sector id porting tokens? This requires the new OP to correctly 
co-relate RPs and the corresponding porting tokens (which in turn seems 
to correspond to particular subject values). Identifying RPs is one of 
the open issues of my draft and it retains an open issue in your draft 
as well. It won't reliably work for native apps (and in the end break 
encapsulation of the old OP). Your design has the potential to deal with 
it by just letting the old OP do this part of the job.

Let me explain how:
I personally think a single porting token representing the old OP 
account should suffice. Everything else can be done by the old OP using 
the data/credentials at hand (because the RP is also known to the old OP!).

1) old OP issues a single porting token (related to the ported OP 
account) to the new OP
2) the new OP stores this porting token (along with the iss value of the 
old OP) with its corresponding OP account
2) new OP adds "aka" (I like that name :-)) to the ID token with every 
login response for such an account
3) RP sends request to porting check API at the old OP, including the 
porting token + the credentials it regularily uses to 
identify/authenticate with the tokens endpoint of this particular OP (it 
must have an identity with this OP as it is a RP for this OP as well)
4) the old OP applies the same logic as for a regular login request, 
i.e. it authenticates the RP and determines the appropriate subject 
value (based on its RP-specific policy and other data)
5) the old OP returns this subject value (public or pairwise) to the RP
6) RP uses the subject value to find local account

Benefit: the old OP is able to determine the RP's identity and the 
correct subject value. Moreover, it stays in full control of which data 
is handed of to what RP. The new OP does not need to know anything about 
the different local accounts associated with the ported OP account.

What do you think?

best regards,

Am 16.08.2016 um 09:17 schrieb Manger, James:
> Attached is an alternative technical design to support porting between 
> OPs.
>   OpenID Connect Account Porting
>   draft-account-porting-00
>   Abstract: This document specifies mechanisms to support a user 
> porting from
>   one OpenID Connect Provider to another, such that relying parties can
>  automatically recognize and verify the change.
> It requires an RP to make an API call to the Old OP to confirm a port, 
> instead of handling an extra JWT signed by the Old OP.
> It use a port_token (per user per RP) to link a porting event across 
> interactions from the Old OP to the New OP, then to the RP, then back 
> to the Old OP. A port_token is opaque to the New OP and RP so it could 
> be a structured value (such as a JWT) if desired by the Old OP to 
> minimize state in an implementation; otherwise a 256-bit 
> base64url-encoded random value referencing the porting state will do.
> It does NOT require an OAuth 2.0 dance by the RP to confirm a port. It 
> assumes the port_token acts like a capability (not unlike a bearer 
> access token).
> It uses Sector Ids to identify (groups of related) RPs.
> It supports chaining of multiple ports if required.
> The Security Considerations are copied unchanged from 
> draft-account-migration-02.
> Annex A is an example in the form of a sequence diagram (embedded with 
> a data: URL).
> It does require that an Old OP remains available until RPs have 
> confirmed ports (which could be months later). However, those 
> responses could be implemented with a static web site if required so I 
> do think this need be an onerous burden or risk.
> [1] Torsten’s current draft design using JWTs: 
> http://openid.net/wordpress-content/uploads/2016/08/draft-account-migration-02.html
> --
> James Manger
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160823/5eb97933/attachment.html>

More information about the Openid-specs-mobile-profile mailing list