[Openid-specs-mobile-profile] Alternative account porting design

Arne Georg Gleditsch argggh at telenordigital.com
Wed Aug 24 05:49:41 UTC 2016


Torsten Lodderstedt <torsten at lodderstedt.net> writes:
> 3) RP sends request to porting check API at the old OP, including the
> porting token + the credentials it regularily uses to
> identify/authenticate with the tokens endpoint of this particular OP
> (it must have an identity with this OP as it is a RP for this OP as
> well)

I agree that complete separation of RP identification is a nice feature
-- however, we need to keep in mind that in a Mobile Connect context,
the RPs cannot be expected to hold on to (up-to-date) credentials for
all OPs, not even the ones they have previously been in communication
with.  For them to to be able to authenticate towards the old OP, they
would need to first communicate with the Operator Discovery facility to
retrieve OP-specific credentials.  This is not a show-stopper per se,
but it is going to complicate the flow a bit for the RPs.  We also need
to supply them with information they can use towards Operator Discovery
to resolve the old OP, i.e just indicating the old iss value is not
going to be enough at this step.  (Although it would be nice if OD
supported lookups by iss...)

-- 

							Arne.


More information about the Openid-specs-mobile-profile mailing list