[Openid-specs-mobile-profile] Account porting within the same OP

Marcos Sanz sanz at denic.de
Fri Jun 1 09:17:12 UTC 2018

> >> The Account Porting spec also defines a "remove" member to indicate 
> the RP should remove or keep the old sub in addition to the
> >> new sub. So an array of {sub, remove} pairs might be better, or 
> we can assume {remove:true} for the New OP = Old OP case?
> > That's not in the ID token anymore, but only in the answers of the 
> > check API after presenting the enc_port_token there, if I understand 
> > correctly.
> > Thus, if we remain in this use case, there's no need to change those 
> > answers, because when New OP = Old OP there's no enc_port_token 
> When the OP says "here is a new and old sub for this user", do you want 
the RP to replace the old sub with the new one in the RP's
> account DB? Or do you want them to have old & new as two acceptable 
subs? Or, rephrasing, will the OP always use the new sub from 
> now on, or is there some reason it might use either in subsequent 
logins? This is what the "remove" member conveys. It seems 
> equally applicable whether the OP delivers the old sub  from the 
port_check_endpoint or in the id_token.

I understand. I think it's an interesting information to convey, but it's 
uneffective to deliver it via the porting check API (in the New OP = Old 
OP case) because I don't even expect RPs to go there to check for 
anything. So, it could be encoded as an array of {sub, remove} pairs in 
the ID token.


More information about the Openid-specs-mobile-profile mailing list