[Openid-specs-mobile-profile] Issue #48: Account Portability (openid/mobile)
Torsten Lodderstedt
issues-reply at bitbucket.org
Fri May 27 08:49:57 UTC 2016
New issue 48: Account Portability
https://bitbucket.org/openid/mobile/issues/48/account-portability
Torsten Lodderstedt:
* Current concept forces RPs to ignore “iss” claim and select user accounts based on “sub” claim only. This creates a huge security risk since ANY IDP in an ecosystem (like Mobile Connect) can assert identities of any other attached IDP! It violates the fundamental OpenID concept of scoped userid (authority).
* Note: Microsoft Office 365 recently experienced a similar vulnerability - http://www.economyofmechanism.com/office365-authbypass.html
* Vulnerability can be utilized within MC as well as in general OIDC use cases – It needs to be addressed immediately
* MODRNA proposal: stick to OpenID concept of scoped identity for Mobile Connect Release 2 and adopt different concept for account portability, MODRNA will support development of alternative design
* First ideas for the alternative design for account portability:
** migrate scoped user ids using a protocol similar to OpenID 2.0 migration protocol (http://openid.net/specs/openid-connect-migration-1_0.html)
** old MNO issues id tokens containing old sub (PCR) along with destination MNOs issuer URL -> used by destination MNO to prove migration of PCR from old MNO (old authority)
** new MNO associates new account with old profile data
** new MNO responds to login requests with old and new profile data (along with assertion issued by old MNO)
** sector identifier or host name is used to identify existing clients (as old and new client id differ!)
More information about the Openid-specs-mobile-profile
mailing list