<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-AU link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>>>> It is assumed the old OP invalidates the subject values migrated to the new OP for login processes to RPs. [draft-account-migration-02; section 1]<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Perhaps we don’t need to assume this.<o:p></o:p></p><p class=MsoNormal>We can treat account migration as linking a new account to an old one, without implying that the old one will vanish or never be used again.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If the Old OP wants to deactivate subsequent OIDC logins it can, but that is up to the Old OP and the user.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The more interesting issue is for the RP. Should an RP <i>replace</i> {OldOP,sub1} with {NewOP,sub2} in its user database? Or should it <i>add</i> {NewOP,sub2} as an additional id for the user? Or ask the user: “We notice you logged in via a new OP, do you want to disable access via the old OP”?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>When porting a mobile phone number, deactivating the Old MNO account makes sense as a phone number can only be served by a single MNO at any time. That is not the case for OIDC in general (eg you can have Facebook and Google accounts active at the same time). For Mobile Connect it will be the common case (due to the tie to a mobile), but probably not required in every case.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>We might need a new claim "account_disabled":true to include in a migration JWT (or /port_check response) to explicitly tell the RP that {OldOP,sub1} will no longer be used so it should be rejected by the RP. That minimizes the latent risk of having an unused (& hence unexpected) login path remain open.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-AU'>--<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-AU'>James Manger<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>