[Openid-specs-mobile-profile] Account Migration - move vs. link

Manger, James James.H.Manger at team.telstra.com
Fri Oct 7 00:29:58 UTC 2016


*         > Shall the spec also support "link"?
Yes.
*         > If so, who decides whether an account is moved or linked?
The Old OP should tell each RP (if it knows).

The Old OP could ask the user (eg during the OAuth consent flow to give a New OP access to porting data), but that seems more of an internal issue for the Old OP. The externally visible part is a signal to RPs.

Suggestion: define a "disabled" member that can be included (alongside "sub") in a response to an RP's call to an Old OP's Porting check API.

"disabled": true - means this account is now disabled at the Old OP; the RP shouldn't expect (so shouldn't accept) any further login for this user via the Old OP so it can remove {Old OP/sub} from this user's account at the RP.

"disabled": false - means this account is still active at the Old OP; the Old OP expects the user to continue logging in from the Old OP; the RP should continue to accept logins via the Old OP. This "porting" event is linking identities from the Old OP and New OP without deprecating either. The RP should accept both as valid login mechanisms for the user.

"disabled" absent - means the Old OP isn't committing either way; or perhaps we make one choice the default so absence means that.

Bike shedding:
Instead of "disabled": true/false, how about "remove": true/false? That makes it clearer that it is asking the RP to do something.

--
James Manger

From: Torsten.Lodderstedt at telekom.de [mailto:Torsten.Lodderstedt at telekom.de]
Sent: Thursday, 6 October 2016 5:28 PM
To: openid-specs-mobile-profile at lists.openid.net
Cc: Manger, James <James.H.Manger at team.telstra.com>; argggh at telenordigital.com
Subject: Account Migration - move vs. link

Hi all,

in Paris we had an extensive discussion about the semantics of the migration. We came up with the consensus that there two use cases move and link:
*         Move: all federated ids of a OP account (or parts of it, e.g. the "Mobile Connect" account) are moved to the new OP and deleted at the old OP. The user won't be able to login to the respective RPs with the old OP account afterwards (except it registers again with the RPs). The lifecycle of the OP account is left at the discretion of the old OP.
*         Link: all federated ids of a OP account (or parts of it, e.g. the "Mobile Connect" account) are _copied_ to the new OP. So the user will be able to login to the respective RPs with both OP accounts, at the old and the new OP.

We learned the Mobile Connect expectation is that the Mobile Connect portion of the old OP account is deleted during (or as result of) the migration. So our spec needs to support this use case.

The following questions are still not yet decided:
*         Shall the spec also support "link"?
*         If so, who decides whether an account is moved or linked?

Please state your opinion on this topic within the next week so we can come to a consensus about this topic.

Thanks in advance,
Torsten.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20161007/0f5ab1a6/attachment.html>


More information about the Openid-specs-mobile-profile mailing list