[Openid-specs-mobile-profile] Fwd: New Version of Account Migration Draft

Philippe Clément philippe.clement.ft at gmail.com
Tue Jul 26 13:51:20 UTC 2016


---------- Forwarded message ----------
From: <philippe.clement at orange.com>
Date: 2016-07-26 15:48 GMT+02:00
Subject: RE: New Version of Account Migration Draft
To: "Torsten.Lodderstedt at telekom.de" <Torsten.Lodderstedt at telekom.de>, "
openid-specs-mobile-profile at lists.openid.net" <
openid-specs-mobile-profile at lists.openid.net>
Cc: "philippe.clement.ft at gmail.com" <philippe.clement.ft at gmail.com>


Hi Torsten,



Thank you for this very valuable document.



By reading the set of 2 phases, I was wondering if we could add a scenario
combining these 2 ones.

In this scenario, we could have:



Prerequisite:

1-    User had an account on a previous MNO (OP1)

2-    User’s account on OP1 is closed

3-    User has an account on a new MNO (OP2)

4-    Eventually, OP1 knows that user has migrated to OP2

5-    RP knows former MNO (OP1)

Use Case:

6-    User visits his usual RP and starts authentication to access the
service

7-    RP starts the OIDC flow with OP1 with usual secured hints regarding
the user

8-    OP1 answer’s with an error code “account migrated” and sends back to
the RP all the necessary subject values. If OP1 knows what OP user has
migrated to, it is inserted in the answer

9-    RP interacts with the user to get his new OP (discovery process),
unless RP already knows what OP user has migrated to.

10- RP starts the authentication process with OP2

11- According to the success of authentication on OP2, RP migrates subject
values for his RP’s account



This Use case would take place in one shot, at the moment where user needs
to authenticate at RP to get the service, so it would be very efficient in
terms of migration

It minimizes the situation of cascading OPs

It avoids to install a dialog between OP1 and OP2 and privacy concerns
regarding transfer of personal information from OP1 to OP2.

Then it avoids some situations where user will not start the migration
process by accessing a specific service to be developped on OP2.

It avoids limitations in Authorization Grant lifetime.



I could have missed something important, and so I’m looking forward to any
feedback from the list



Kind regards,

Philippe



*De :* Openid-specs-mobile-profile [mailto:
openid-specs-mobile-profile-bounces at lists.openid.net] *De la part de*
Torsten.Lodderstedt at telekom.de
*Envoyé :* mardi 19 juillet 2016 13:30
*À :* openid-specs-mobile-profile at lists.openid.net
*Objet :* [Openid-specs-mobile-profile] New Version of Account Migration
Draft



Hi all,



I just published -01 of the account migration draft at openid.net (
http://openid.net/wordpress-content/uploads/2014/04/draft-account-migration-01.html).
The source code can be found in our Bitbucket repo.



This is a significant rewrite of the specification based on your valuable
feedback. Thank you! Although I tried to incorporate all review comments,
please bear with me if I missed a comment. Please let me know, so I can
incorporate it in the next revision.



I applied the following changes to the document:



·         reorganized the draft

·         extended introduction and overview

·         stated scope of the draft and what is currently out of scope

·         changed terminology from porting to migration

·         changed migration data structure to be different from an id token

·         cleaned up references

·         added initial security considerations



Please post your feedback to the list.



best regards,

Torsten.



_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez
recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les
messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere,
deforme ou falsifie. Merci.

This message and its attachments may contain confidential or
privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and
delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have
been modified, changed or falsified.
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160726/e1778e92/attachment.html>


More information about the Openid-specs-mobile-profile mailing list