[Openid-specs-risc] Account State Events Format

Marius Scurtescu mscurtescu at google.com
Thu May 18 00:23:20 UTC 2017

At the face-to-face a couple of weeks ago and also on Monday during our
call we talked about RISC events that reflect an account state change
between disabled and enabled. For example, account hijacked / recovered,
account deleted / undeleted, etc.

On one hand there are privacy concerns, and for example if a user violated
ToS with a provider then that fact should not be disclosed (I think we have
agreement here).

On the other had at least with some of the event we do want to be very
specific so abuse systems get a quality signal.

So far the agreement was that hijacking and accounts created by bots need a
distinct signal, everything else can use a generic one.

I am proposing the following format:

1. All of these events will use these two event type URIs:

2. For hijacking and bot created the transmitter should add a nested
attribute called "reason" with values like "hijacking" and "bot"

An example:
  "iss": "https://server.example.com",
  "sub": "248289761001",
  "aud": "s6BhdRkqt3",
  "iat": 1471566154,
  "jti": "bWJq",
  "events": {
      "reason": "hijacking",

We can define more values for "reason" and transmitter could chose to
provide them. The more distinct events are provided the easier it is to
identify the ToS cases through elimination, so there should be a good
reason to be specific (if ToS privacy is a concern).

Sounds good? Thoughts?

There are other ways to capture these requirements (distinct URIs for
hijacking and bot or multiple URIs), but this is the most concise and the
safest for developers who are only interested in account state (so they
don't have to deal with event URIs they don't fully understand or care

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20170517/7752549c/attachment.html>

More information about the Openid-specs-risc mailing list