[Openid-specs-mobile-profile] Alternative account porting design
Manger, James
James.H.Manger at team.telstra.com
Tue Aug 16 07:17:33 UTC 2016
Hi MODRNA,
Attached is an alternative technical design to support porting between OPs.
OpenID Connect Account Porting
draft-account-porting-00
Abstract: This document specifies mechanisms to support a user porting from
one OpenID Connect Provider to another, such that relying parties can
automatically recognize and verify the change.
It requires an RP to make an API call to the Old OP to confirm a port, instead of handling an extra JWT signed by the Old OP.
It use a port_token (per user per RP) to link a porting event across interactions from the Old OP to the New OP, then to the RP, then back to the Old OP. A port_token is opaque to the New OP and RP so it could be a structured value (such as a JWT) if desired by the Old OP to minimize state in an implementation; otherwise a 256-bit base64url-encoded random value referencing the porting state will do.
It does NOT require an OAuth 2.0 dance by the RP to confirm a port. It assumes the port_token acts like a capability (not unlike a bearer access token).
It uses Sector Ids to identify (groups of related) RPs.
It supports chaining of multiple ports if required.
The Security Considerations are copied unchanged from draft-account-migration-02.
Annex A is an example in the form of a sequence diagram (embedded with a data: URL).
It does require that an Old OP remains available until RPs have confirmed ports (which could be months later). However, those responses could be implemented with a static web site if required so I do think this need be an onerous burden or risk.
[1] Torsten's current draft design using JWTs: http://openid.net/wordpress-content/uploads/2016/08/draft-account-migration-02.html
--
James Manger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160816/17846b84/attachment-0002.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160816/17846b84/attachment-0003.html>
More information about the Openid-specs-mobile-profile
mailing list