[Openid-specs-mobile-profile] Account porting within the same OP
Torsten Lodderstedt
torsten at lodderstedt.net
Fri Jun 1 14:29:16 UTC 2018
Hi James,
> Am 01.06.2018 um 09:04 schrieb Manger, James <James.H.Manger at team.telstra.com>:
>
> it will be too tempting for a developer to just use it without checking with Old OP.
I agree, this is a serious risk.
I nevertheless support this additional feature. I have a porting case where the old IDP no longer exists when the actual porting with the RP takes place. Instead another IDP takes responsibility for ALL user accounts of the old IDP. This also allows to migrate all user data to the new IDP in a chunk before the old IDP is turned off.
In our case, the new IDP must tell the RP the old sub and iss values. We prevent account take over by having a central authority, which tells the RP what IDP „officially“ took over for the old IDP.
kind regards,
Torsten.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3872 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180601/35b4aa0f/attachment.p7s>
More information about the Openid-specs-mobile-profile
mailing list