[Openid-specs-mobile-profile] Alternative account porting design

Manger, James James.H.Manger at team.telstra.com
Tue Aug 16 07:17:33 UTC 2016


Hi MODRNA,

Attached is an alternative technical design to support porting between OPs.

  OpenID Connect Account Porting
  draft-account-porting-00

  Abstract: This document specifies mechanisms to support a user porting from
  one OpenID Connect Provider to another, such that relying parties can
 automatically recognize and verify the change.

It requires an RP to make an API call to the Old OP to confirm a port, instead of handling an extra JWT signed by the Old OP.

It use a port_token (per user per RP) to link a porting event across interactions from the Old OP to the New OP, then to the RP, then back to the Old OP. A port_token is opaque to the New OP and RP so it could be a structured value (such as a JWT) if desired by the Old OP to minimize state in an implementation; otherwise a 256-bit base64url-encoded random value referencing the porting state will do.

It does NOT require an OAuth 2.0 dance by the RP to confirm a port. It assumes the port_token acts like a capability (not unlike a bearer access token).

It uses Sector Ids to identify (groups of related) RPs.

It supports chaining of multiple ports if required.

The Security Considerations are copied unchanged from draft-account-migration-02.

Annex A is an example in the form of a sequence diagram (embedded with a data: URL).

It does require that an Old OP remains available until RPs have confirmed ports (which could be months later). However, those responses could be implemented with a static web site if required so I do think this need be an onerous burden or risk.

[1] Torsten's current draft design using JWTs: http://openid.net/wordpress-content/uploads/2016/08/draft-account-migration-02.html

--
James Manger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160816/17846b84/attachment-0002.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160816/17846b84/attachment-0003.html>


More information about the Openid-specs-mobile-profile mailing list