[Openid-specs-mobile-profile] New Version of Account Migration Draft

[Manger, James]

>>> It is assumed the old OP invalidates the subject values migrated to the new OP for login processes to RPs. [draft-account-migration-02; section 1]

Perhaps we don't need to assume this.
We can treat account migration as linking a new account to an old one, without implying that the old one will vanish or never be used again.

If the Old OP wants to deactivate subsequent OIDC logins it can, but that is up to the Old OP and the user.

The more interesting issue is for the RP. Should an RP replace {OldOP,sub1} with {NewOP,sub2} in its user database? Or should it add {NewOP,sub2} as an additional id for the user? Or ask the user: "We notice you logged in via a new OP, do you want to disable access via the old OP"?

When porting a mobile phone number, deactivating the Old MNO account makes sense as a phone number can only be served by a single MNO at any time. That is not the case for OIDC in general (eg you can have Facebook and Google accounts active at the same time). For Mobile Connect it will be the common case (due to the tie to a mobile), but probably not required in every case.

We might need a new claim "account_disabled":true to include in a migration JWT (or /port_check response) to explicitly tell the RP that {OldOP,sub1} will no longer be used so it should be rejected by the RP. That minimizes the latent risk of having an unused (& hence unexpected) login path remain open.

--
James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160818/3303946f/attachment.html>