[Openid-specs-mobile-profile] Account porting within the same OP
Marcos Sanz
sanz at denic.de
Fri Jun 1 07:30:08 UTC 2018
> It isn't sufficient for New OP to *know* Old OP's sub. The RP need
*proof from Old OP* that this sub did port to New OP.
Absolutely.
> For your specific case where New OP = Old OP, though, the RP is
authenticating both together so it should be okay. Effectively the
> OP is saying these 2 (or more) subs are aliases for the same user. A use
case could be merging two account.
>
> Simplest solution: a new id_token member named "subs" whose value is an
array of strings that are other "sub" values for the same user.
It's very fine by me. However, conceptually that should be a child element
of "aka", shouldn't it?
> The Account Porting spec also defines a "remove" member to indicate if
the RP should remove or keep the old sub in addition to the
> new sub. So an array of {sub, remove} pairs might be better, or perhaps
we can assume {remove:true} for the New OP = Old OP case?
That's not in the ID token anymore, but only in the answers of the porting
check API after presenting the enc_port_token there, if I understand it
correctly.
Thus, if we remain in this use case, there's no need to change those API
answers, because when New OP = Old OP there's no enc_port_token around.
Best,
Marcos
>
> --
> James Manger
>
> -----Original Message-----
> From: Openid-specs-mobile-profile [
mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of
Marcos Sanz
> Sent: Friday, 1 June 2018 4:07 PM
> To: openid-specs-mobile-profile at lists.openid.net
> Subject: [Openid-specs-mobile-profile] Account porting within the same
OP
>
> Dear wg,
>
> we've been reading your work
> http://openid.net/specs/openid-connect-account-porting-1_0.html
> and we think we could use it for porting of identifiers in our OIDC
scenario (which has nothing to do with GSMA Mobile Connect;
> for details of our deployment s.
>
https://tools.ietf.org/html/draft-bertola-dns-openid-pidi-architecture-01
> ).
>
> There are situations in our deployment where the "Old OP" is at the same
time the "New OP" (somebody migrating their identity from
> one domain name to another one -subject identifier does change- but
staying within the same domain name registry). The current
> porting draft of the WG certainly allows for this, but there's an
unnecessary overhead there (for the OP to issue the
> enc_port_token and to run additional endpoints, additional roundtrips in
the workflow, etc.).
>
> It'd be so nice if, talking generically, when the "New OP" knows the
subject identifier at the "Old OP" for whatever reason,
> (which covers our case, because "New OP"="Old OP" and thus the OP knows
the old sub) it could deliver the old sub right ahead in
> the ID token. Maybe within the "aka" element (as alternative to the
enc_port_token child element), maybe with a new "aka-sub"
> parent element, so as not to overload "aka" syntax.
>
> What do you think?
>
> Best,
> Marcos
> _______________________________________________
> Openid-specs-mobile-profile mailing list
Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
More information about the Openid-specs-mobile-profile
mailing list