[Openid-specs-mobile-profile] Account porting within the same OP

Marcos Sanz sanz at denic.de
Fri Jun 1 07:30:08 UTC 2018


> It isn't sufficient for New OP to *know* Old OP's sub. The RP need 
*proof from Old OP* that this sub did port to New OP.

Absolutely.

> For your specific case where New OP = Old OP, though, the RP is 
authenticating both together so it should be okay. Effectively the
> OP is saying these 2 (or more) subs are aliases for the same user. A use 
case could be merging two account.
> 
> Simplest solution: a new id_token member named "subs" whose value is an 
array of strings that are other "sub" values for the same user.

It's very fine by me. However, conceptually that should be a child element 
of "aka", shouldn't it?

> The Account Porting spec also defines a "remove" member to indicate if 
the RP should remove or keep the old sub in addition to the
> new sub. So an array of {sub, remove} pairs might be better, or perhaps 
we can assume {remove:true} for the New OP = Old OP case?

That's not in the ID token anymore, but only in the answers of the porting 
check API after presenting the enc_port_token there, if I understand it 
correctly.
Thus, if we remain in this use case, there's no need to change those API 
answers, because when New OP = Old OP there's no enc_port_token around.

Best,
Marcos

> 
> --
> James Manger
> 
> -----Original Message-----
> From: Openid-specs-mobile-profile [
mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of 
Marcos Sanz
> Sent: Friday, 1 June 2018 4:07 PM
> To: openid-specs-mobile-profile at lists.openid.net
> Subject: [Openid-specs-mobile-profile] Account porting within the same 
OP
> 
> Dear wg,
> 
> we've been reading your work
> http://openid.net/specs/openid-connect-account-porting-1_0.html
> and we think we could use it for porting of identifiers in our OIDC 
scenario (which has nothing to do with GSMA Mobile Connect; 
> for details of our deployment s. 
> 
https://tools.ietf.org/html/draft-bertola-dns-openid-pidi-architecture-01
> ). 
> 
> There are situations in our deployment where the "Old OP" is at the same 
time the "New OP" (somebody migrating their identity from
> one domain name to another one -subject identifier does change- but 
staying within the same domain name registry). The current 
> porting draft of the WG certainly allows for this, but there's an 
unnecessary overhead there (for the OP to issue the 
> enc_port_token and to run additional endpoints, additional roundtrips in 
the workflow, etc.).
> 
> It'd be so nice if, talking generically, when the "New OP" knows the 
subject identifier at the "Old OP" for whatever reason, 
> (which covers our case, because "New OP"="Old OP" and thus the OP knows 
the old sub) it could deliver the old sub right ahead in 
> the ID token. Maybe within the "aka" element (as alternative to the 
enc_port_token child element), maybe with a new "aka-sub" 
> parent element, so as not to overload "aka" syntax.
> 
> What do you think?
> 
> Best,
> Marcos
> _______________________________________________
> Openid-specs-mobile-profile mailing list 
Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile



More information about the Openid-specs-mobile-profile mailing list