[Openid-specs-mobile-profile] New Version of Account Migration Draft
GONZALO FERNANDEZ RODRIGUEZ
gonzalo.fernandezrodriguez at telefonica.com
Wed Aug 17 12:46:02 UTC 2016
Hi Torsten,
I have been reviewed your account migration proposal (Thanks a lot!!!). Regarding the Account Migration Request (Section 3.2) there is a note “OPEN” that says: “Is POST the right verb? think so since user account state is change at the old OP (subject values are invalidated)” and I was wondering two questions:
1. What is supposed to mean “subject values are invalidated”? Do you mean to remove the user account?
2. Shouldn’t be necessary a three handshake mean to finalise the migration?. I think that maybe the new operator could make a GET request to obtain the migration data and once it consider they are well migrated and stored in their database make a final POST request to indicate to the old operator that the user has been correctly migrated and their account can be removed.
Best,
Gonza.
From: Openid-specs-mobile-profile on behalf of "Torsten.Lodderstedt at telekom.de<mailto:Torsten.Lodderstedt at telekom.de>"
Date: Tuesday 26 July 2016 at 16:17
To: "openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>", "philippe.clement at orange.com<mailto:philippe.clement at orange.com>"
Cc: "philippe.clement.ft at gmail.com<mailto:philippe.clement.ft at gmail.com>"
Subject: Re: [Openid-specs-mobile-profile] New Version of Account Migration Draft
Hi Philippe,
thanks for your proposal. I basically think it is a good idea if OP1 would indicate the migration to the RP.
Two questions/comments came into my mind instantly:
- how is OP1 supposed to learn/know that the user account was migrated to OP2 and what the ppid was at OP1?
- I would not rely on the unsigned error response from OP1 to tell the RP where the user account was migrated to. This data could be faked by an attacker.
Best regards,
Torsten.
Mit TouchDown von meinem Android-Telefon gesendet (www.symantec.com)
-----Original Message-----
From: philippe.clement at orange.com<mailto:philippe.clement at orange.com> [philippe.clement at orange.com<mailto:philippe.clement at orange.com>]
Received: Dienstag, 26 Juli 2016, 15:48
To: Lodderstedt, Torsten [Torsten.Lodderstedt at telekom.de<mailto:Torsten.Lodderstedt at telekom.de>]; openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net> [openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>]
CC: philippe.clement.ft at gmail.com<mailto:philippe.clement.ft at gmail.com> [philippe.clement.ft at gmail.com<mailto:philippe.clement.ft at gmail.com>]
Subject: RE: New Version of Account Migration Draft
Hi Torsten,
Thank you for this very valuable document.
By reading the set of 2 phases, I was wondering if we could add a scenario combining these 2 ones.
In this scenario, we could have:
Prerequisite:
1- User had an account on a previous MNO (OP1)
2- User’s account on OP1 is closed
3- User has an account on a new MNO (OP2)
4- Eventually, OP1 knows that user has migrated to OP2
5- RP knows former MNO (OP1)
Use Case:
6- User visits his usual RP and starts authentication to access the service
7- RP starts the OIDC flow with OP1 with usual secured hints regarding the user
8- OP1 answer’s with an error code “account migrated” and sends back to the RP all the necessary subject values. If OP1 knows what OP user has migrated to, it is inserted in the answer
9- RP interacts with the user to get his new OP (discovery process), unless RP already knows what OP user has migrated to.
10-RP starts the authentication process with OP2
11-According to the success of authentication on OP2, RP migrates subject values for his RP’s account
This Use case would take place in one shot, at the moment where user needs to authenticate at RP to get the service, so it would be very efficient in terms of migration
It minimizes the situation of cascading OPs
It avoids to install a dialog between OP1 and OP2 and privacy concerns regarding transfer of personal information from OP1 to OP2.
Then it avoids some situations where user will not start the migration process by accessing a specific service to be developped on OP2.
It avoids limitations in Authorization Grant lifetime.
I could have missed something important, and so I’m looking forward to any feedback from the list
Kind regards,
Philippe
De : Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] De la part de Torsten.Lodderstedt at telekom.de<mailto:Torsten.Lodderstedt at telekom.de>
Envoyé : mardi 19 juillet 2016 13:30
À : openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Objet : [Openid-specs-mobile-profile] New Version of Account Migration Draft
Hi all,
I just published -01 of the account migration draft at openid.net (http://openid.net/wordpress-content/uploads/2014/04/draft-account-migration-01.html). The source code can be found in our Bitbucket repo.
This is a significant rewrite of the specification based on your valuable feedback. Thank you! Although I tried to incorporate all review comments, please bear with me if I missed a comment. Please let me know, so I can incorporate it in the next revision.
I applied the following changes to the document:
· reorganized the draft
· extended introduction and overview
· stated scope of the draft and what is currently out of scope
· changed terminology from porting to migration
· changed migration data structure to be different from an id token
· cleaned up references
· added initial security considerations
Please post your feedback to the list.
best regards,
Torsten.
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
________________________________
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160817/0ca4dd1e/attachment-0001.html>
More information about the Openid-specs-mobile-profile
mailing list