[Openid-specs-mobile-profile] Account porting within the same OP
Marcos Sanz
sanz at denic.de
Fri Jun 1 06:06:39 UTC 2018
Dear wg,
we've been reading your work
http://openid.net/specs/openid-connect-account-porting-1_0.html
and we think we could use it for porting of identifiers in our OIDC
scenario (which has nothing to do with GSMA Mobile Connect; for details of
our deployment s.
https://tools.ietf.org/html/draft-bertola-dns-openid-pidi-architecture-01
).
There are situations in our deployment where the "Old OP" is at the same
time the "New OP" (somebody migrating their identity from one domain name
to another one -subject identifier does change- but staying within the
same domain name registry). The current porting draft of the WG certainly
allows for this, but there's an unnecessary overhead there (for the OP to
issue the enc_port_token and to run additional endpoints, additional
roundtrips in the workflow, etc.).
It'd be so nice if, talking generically, when the "New OP" knows the
subject identifier at the "Old OP" for whatever reason, (which covers our
case, because "New OP"="Old OP" and thus the OP knows the old sub) it
could deliver the old sub right ahead in the ID token. Maybe within the
"aka" element (as alternative to the enc_port_token child element), maybe
with a new "aka-sub" parent element, so as not to overload "aka" syntax.
What do you think?
Best,
Marcos
More information about the Openid-specs-mobile-profile
mailing list