[Openid-specs-mobile-profile] final notes of Mobile Profile (Dec 3rd 2014)

Wed Dec 17 08:24:42 UTC 2014

Dear all,

Please find below the final notes from our call of Dec 3rd 2014

Agenda:

*         Use Cases of login_hint & id_token_hint

*         LOAs,AMRs , ACRs - reasonable ACRs, starting point

1.       Use Cases of login_hint & id_token_hint
Discussion relied on differences between the 2 parameters, login_hint being mostly used for an initial authentication, Id_Token_Hint for subsequent authentications.

id_token_hint: bound to original OP & original client
login_hint: not bound to OP or client (msisdn, email) - typically human readable

Possibility for account chooser to provide the login_hint has been said. The RP could as well provide the user MISDN in case it knows it to the disco feature.
Lack of structure/format for MSISDN, do we have to use another parameter than login_hint or Id_Token_Hint ?

login_hint does not prevent RP from getting access to the MSISDN
id_token_hint is bound to certain client (and the OP) - cannot be issued by discovery services and consumed by MNO's OP, must always be used be the same client which also triggered the initial authentication request

MSISDN shall be carried in encrypted form to OP
discussed two options:

1.       Put it into login_hint -> requires format information in order to allow OP to distinguish encrypted and plain login hints

2.       Define new parameter -> carries MSISDN in encrypted JWT

(1)    may cause interop problems

(2)    is considered the better solution. OPs not supporting the new parameter just ignore it. Works for Discovery to OP and Account Chooser to OP
2.       LOAs,AMRs , ACRs - reasonable ACRs, starting point
long discussions on RP needs: LOAs, ACR
It has been mentioned that commercial offers would probably mix APIs and Authentication Means (ex: Billing API with Mobile Connect authent). In that case, the RP must be in position to request the "MC" authentication mean, not LOA2 or 3
Could be cumbersome to try to map the exhaustivity of Authentication Means to the 4 LOAs (classification), but maybe we could start with describing a basic set of common authentication means, containing Mobile Connect.

Regards,
Philippe

Notice : I will be off from dec 19th to Jan 5th 2014

[logo Orange]<http://www.orange.com/>

Philippe Clement
Head of Identity Enabler
Orange/IMT/TECHNOCENTRE/MPA OPEN - DEVELOPERS SERVICES/ENABLERS

fixe : +33 1 45 29 65 04 <https://monsi.sso.francetelecom.fr/index.asp?target=http%3A%2F%2Fclicvoice.sso.francetelecom.fr%2FClicvoiceV2%2FToolBar.do%3Faction%3Ddefault%26rootservice%3DSIGNATURE%26to%3D+33%201%2045%2029%2065%2004%20>
mobile : +33 6 81 24 67 21 <https://monsi.sso.francetelecom.fr/index.asp?target=http%3A%2F%2Fclicvoice.sso.francetelecom.fr%2FClicvoiceV2%2FToolBar.do%3Faction%3Ddefault%26rootservice%3DSIGNATURE%26to%3D+33%206%2081%2024%2067%2021%20>
philippe.clement at orange.com<mailto:philippe.clement at orange.com>

[OrangePartner_API_EmailSignature-02 (2)]<http://www.orangepartner.com/>

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20141217/bdcbdbb4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 381 bytes
Desc: image001.gif
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20141217/bdcbdbb4/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 10185 bytes
Desc: image002.jpg
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20141217/bdcbdbb4/attachment-0001.jpg>