[Openid-specs-mobile-profile] Account porting within the same OP
Manger, James
James.H.Manger at team.telstra.com
Fri Jun 1 07:04:26 UTC 2018
It isn't sufficient for New OP to *know* Old OP's sub. The RP need *proof from Old OP* that this sub did port to New OP. In fact, it is almost dangerous for New OP to directly include an Old OP sub as it will be too tempting for a developer to just use it without checking with Old OP.
For your specific case where New OP = Old OP, though, the RP is authenticating both together so it should be okay. Effectively the OP is saying these 2 (or more) subs are aliases for the same user. A use case could be merging two account.
Simplest solution: a new id_token member named "subs" whose value is an array of strings that are other "sub" values for the same user.
The Account Porting spec also defines a "remove" member to indicate if the RP should remove or keep the old sub in addition to the new sub. So an array of {sub, remove} pairs might be better, or perhaps we can assume {remove:true} for the New OP = Old OP case?
--
James Manger
-----Original Message-----
From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Marcos Sanz
Sent: Friday, 1 June 2018 4:07 PM
To: openid-specs-mobile-profile at lists.openid.net
Subject: [Openid-specs-mobile-profile] Account porting within the same OP
Dear wg,
we've been reading your work
http://openid.net/specs/openid-connect-account-porting-1_0.html
and we think we could use it for porting of identifiers in our OIDC scenario (which has nothing to do with GSMA Mobile Connect; for details of our deployment s.
https://tools.ietf.org/html/draft-bertola-dns-openid-pidi-architecture-01
).
There are situations in our deployment where the "Old OP" is at the same time the "New OP" (somebody migrating their identity from one domain name to another one -subject identifier does change- but staying within the same domain name registry). The current porting draft of the WG certainly allows for this, but there's an unnecessary overhead there (for the OP to issue the enc_port_token and to run additional endpoints, additional roundtrips in the workflow, etc.).
It'd be so nice if, talking generically, when the "New OP" knows the subject identifier at the "Old OP" for whatever reason, (which covers our case, because "New OP"="Old OP" and thus the OP knows the old sub) it could deliver the old sub right ahead in the ID token. Maybe within the "aka" element (as alternative to the enc_port_token child element), maybe with a new "aka-sub" parent element, so as not to overload "aka" syntax.
What do you think?
Best,
Marcos
_______________________________________________
Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
More information about the Openid-specs-mobile-profile
mailing list