- Current concept forces RPs to ignore “iss” claim and select user accounts based on “sub” claim only. This creates a huge security risk since ANY IDP in an ecosystem (like Mobile Connect) can assert identities of any other attached IDP! It violates the fundamental OpenID concept of scoped userid (authority).
- Note: Microsoft Office 365 recently experienced a similar vulnerability - http://www.economyofmechanism.com/office365-authbypass.html
- Vulnerability can be utilized within MC as well as in general OIDC use cases – It needs to be addressed immediately
MODRNA proposal: stick to OpenID concept of scoped identity for Mobile Connect Release 2 and adopt different concept for account portability, MODRNA will support development of alternative design
First ideas for the alternative design for account portability: migrate scoped user ids using a protocol similar to OpenID 2.0 migration protocol (http://openid.net/specs/openid-connect-migration-1_0.html) old MNO issues id tokens containing old sub (PCR) along with destination MNOs issuer URL -> used by destination MNO to prove migration of PCR from old MNO (old authority) new MNO associates new account with old profile data new MNO responds to login requests with old and new profile data (along with assertion issued by old MNO) ** sector identifier or host name is used to identify existing clients (as old and new client id differ!)
Issue #48 resolved