[Openid-specs-mobile-profile] Alternative account porting design
Torsten Lodderstedt
torsten at lodderstedt.net
Tue Aug 23 15:20:56 UTC 2016
Hi James,
thanks for writing down your proposal.
One question directly popped up in my mind: Why does the old OP issue
per RP/sector id porting tokens? This requires the new OP to correctly
co-relate RPs and the corresponding porting tokens (which in turn seems
to correspond to particular subject values). Identifying RPs is one of
the open issues of my draft and it retains an open issue in your draft
as well. It won't reliably work for native apps (and in the end break
encapsulation of the old OP). Your design has the potential to deal with
it by just letting the old OP do this part of the job.
Let me explain how:
I personally think a single porting token representing the old OP
account should suffice. Everything else can be done by the old OP using
the data/credentials at hand (because the RP is also known to the old OP!).
1) old OP issues a single porting token (related to the ported OP
account) to the new OP
2) the new OP stores this porting token (along with the iss value of the
old OP) with its corresponding OP account
2) new OP adds "aka" (I like that name :-)) to the ID token with every
login response for such an account
3) RP sends request to porting check API at the old OP, including the
porting token + the credentials it regularily uses to
identify/authenticate with the tokens endpoint of this particular OP (it
must have an identity with this OP as it is a RP for this OP as well)
4) the old OP applies the same logic as for a regular login request,
i.e. it authenticates the RP and determines the appropriate subject
value (based on its RP-specific policy and other data)
5) the old OP returns this subject value (public or pairwise) to the RP
6) RP uses the subject value to find local account
Benefit: the old OP is able to determine the RP's identity and the
correct subject value. Moreover, it stays in full control of which data
is handed of to what RP. The new OP does not need to know anything about
the different local accounts associated with the ported OP account.
What do you think?
best regards,
Torsten.
Am 16.08.2016 um 09:17 schrieb Manger, James:
>
> Hi MODRNA,
>
> Attached is an alternative technical design to support porting between
> OPs.
>
> OpenID Connect Account Porting
>
> draft-account-porting-00
>
> Abstract: This document specifies mechanisms to support a user
> porting from
>
> one OpenID Connect Provider to another, such that relying parties can
>
> automatically recognize and verify the change.
>
> It requires an RP to make an API call to the Old OP to confirm a port,
> instead of handling an extra JWT signed by the Old OP.
>
> It use a port_token (per user per RP) to link a porting event across
> interactions from the Old OP to the New OP, then to the RP, then back
> to the Old OP. A port_token is opaque to the New OP and RP so it could
> be a structured value (such as a JWT) if desired by the Old OP to
> minimize state in an implementation; otherwise a 256-bit
> base64url-encoded random value referencing the porting state will do.
>
> It does NOT require an OAuth 2.0 dance by the RP to confirm a port. It
> assumes the port_token acts like a capability (not unlike a bearer
> access token).
>
> It uses Sector Ids to identify (groups of related) RPs.
>
> It supports chaining of multiple ports if required.
>
> The Security Considerations are copied unchanged from
> draft-account-migration-02.
>
> Annex A is an example in the form of a sequence diagram (embedded with
> a data: URL).
>
> It does require that an Old OP remains available until RPs have
> confirmed ports (which could be months later). However, those
> responses could be implemented with a static web site if required so I
> do think this need be an onerous burden or risk.
>
> [1] Torsten’s current draft design using JWTs:
> http://openid.net/wordpress-content/uploads/2016/08/draft-account-migration-02.html
>
> --
>
> James Manger
>
>
>
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160823/5eb97933/attachment.html>
More information about the Openid-specs-mobile-profile
mailing list