[Openid-specs-mobile-profile] Account porting within the same OP
Marcos Sanz
sanz at denic.de
Fri Jun 1 09:17:12 UTC 2018
> >> The Account Porting spec also defines a "remove" member to indicate
if
> the RP should remove or keep the old sub in addition to the
> >> new sub. So an array of {sub, remove} pairs might be better, or
perhaps
> we can assume {remove:true} for the New OP = Old OP case?
>
> > That's not in the ID token anymore, but only in the answers of the
porting
> > check API after presenting the enc_port_token there, if I understand
it
> > correctly.
> > Thus, if we remain in this use case, there's no need to change those
API
> > answers, because when New OP = Old OP there's no enc_port_token
around.
>
> When the OP says "here is a new and old sub for this user", do you want
the RP to replace the old sub with the new one in the RP's
> account DB? Or do you want them to have old & new as two acceptable
subs? Or, rephrasing, will the OP always use the new sub from
> now on, or is there some reason it might use either in subsequent
logins? This is what the "remove" member conveys. It seems
> equally applicable whether the OP delivers the old sub from the
port_check_endpoint or in the id_token.
I understand. I think it's an interesting information to convey, but it's
uneffective to deliver it via the porting check API (in the New OP = Old
OP case) because I don't even expect RPs to go there to check for
anything. So, it could be encoded as an array of {sub, remove} pairs in
the ID token.
Best,
Marcos
More information about the Openid-specs-mobile-profile
mailing list