[Openid-specs-mobile-profile] Account porting within the same OP

Engan, Michael Michael.Engan1 at T-Mobile.com
Wed Jun 6 16:22:09 UTC 2018


So I have been putting thought into the Porting scenario. I agree with Torsten that RP/SP will always choose the lazy path and won't bother with calling a porting endpoint. 

When sub1 on mno1 ports to sub2 on mno2 then the RP/SP will be getting an ID token containing an AKA.  I also like the idea that the RP has everything within the id_token. My suggestion (in combination with brainstorming with Shahram) is that the AKA should contain an encrypted version of the old sub. The RP can use the JWK encryption public key from MNO1 to decrypt the old subject.   This would give the RP confirmation that MNO1 consented to the port out. 
The only other variation I have not figured out yet is a better method to have mno1 explicitly say the user ported TO mno2.

{
  Sub:sub2
  Aka:
      Mno1:
      Old_sub:{encrypted sub1}
} 

-----Original Message-----
From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Marcos Sanz
Sent: Tuesday, June 05, 2018 4:00 AM
To: Manger, James <James.H.Manger at team.telstra.com>
Cc: openid-specs-mobile-profile at lists.openid.net
Subject: Re: [Openid-specs-mobile-profile] Account porting within the same OP

Hi James,

> A solution for Marcos (same OP, diff sub) is fairly easy: just include
the old sub(s) in the id_token. The main issues are syntax 
> and process.
> Should the id_token become:
>   { "sub":"new789", ..., "subs": ["old123", "old456"] } Or
>   { "sub":"new789", ..., "aka": {"subs": ["old123", "old456"]} } Or
>   { "sub":"new789", ..., "old": [ { "sub":"old123", "remove":true}, {
"sub":"old456", "remove":false } ] }
> Should it be specified in openid-connect-account-porting-1_0, or a
separate (quite short and simple) spec?

if you ask me, this
a) is in scope of openid-connect-account-porting-1_0,
b) would be a pretty easy addendum to section 5,
c) makes the standards more unclear/confusing if it'd become a separate 
spec (I am still confused by the trilogy session-management/frontchannel 
logout/backchannel logout).

How to move along? Do we want to talk about it during next Tuesday's 
telco?

Best,
Marcos

> One option for the "Old OP no longer exists" use case could be for the 
New OP to take over the Old OP domain name.
> RPs process id_tokens as per Account Porting. RPs don't know, nor need 
to know, that the Old OP has been completely replaced. The 
> New OP needs to host a static openid-configuration file at the Old OP's 
domain (https://oldop.example.net/.well-known/openid-configuration
> ), though the 
> "port_check_endpoint" can point to a New OP domain. That endpoint 
probably needs to support RP credentials established with the Old OP.
> No spec changes are needed.
> 
> --
> James Manger
> 
> -----Original Message-----
> From: Torsten Lodderstedt [mailto:torsten at lodderstedt.net] 
> Sent: Saturday, 2 June 2018 12:29 AM
> To: Manger, James <James.H.Manger at team.telstra.com>
> Cc: Marcos Sanz <sanz at denic.de>; 
openid-specs-mobile-profile at lists.openid.net
> Subject: Re: [Openid-specs-mobile-profile] Account porting within the 
same OP
> 
> Hi James,
> 
> > Am 01.06.2018 um 09:04 schrieb Manger, James 
<James.H.Manger at team.telstra.com>:
> > 
> > it will be too tempting for a developer to just use it without 
checking with Old OP.
> 
> I agree, this is a serious risk. 
> 
> I nevertheless support this additional feature. I have a porting case 
where the old IDP no longer exists when the actual porting 
> with the RP takes place. Instead another IDP takes responsibility for 
ALL user accounts of the old IDP. This also allows to 
> migrate all user data to the new IDP in a chunk before the old IDP is 
turned off. 
> 
> In our case, the new IDP must tell the RP the old sub and iss values. We 
prevent account take over by having a central authority, 
> which tells the RP what IDP „officially“ took over for the old IDP. 
> 
> kind regards,
> Torsten. 
> 
> 
> 

_______________________________________________
Openid-specs-mobile-profile mailing list
Openid-specs-mobile-profile at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile


More information about the Openid-specs-mobile-profile mailing list