Add comprehensive support for account resolution and management handover #28
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add 'manage' command to Abstract and Introduction command lists - Add account management handover documentation to Command Usage Overview - Add 'aud_sub' claim definition to Command Token section for account resolution - Register 'aud_sub' and 'managed_by' claims in IANA JWT Claims registry - Complete integration of account resolution features throughout specification These changes enable OPs to take over management of existing RP accounts and provide efficient account lookup using RP internal identifiers.
adeinega
reviewed
Aug 13, 2025
Co-authored-by: Andrii Deinega <[email protected]>
- Add comprehensive Management Transfer section with manage command details - Separate Account Resolution and Management Transfer into distinct sections - Update Introduction with 'account lifecycle management' terminology - Clarify Success Response with 'OP tenant' specification - Add JSON String type specifications for callback_token and aud_sub claims - Include granularity comment about lifecycle vs session management - Fix typo: 'successful' -> 'successfully' in Success Response - Various editorial improvements for clarity and consistency Addresses suggestions from #27 Co-authored-by: collaborator from original PR review
…vider values - Rename "takeover" command to "migrate" throughout specification - Change "take over" terminology to "migrate" for consistency - Update command identifiers from takeover/takeover_async to migrate/migrate_async - Rename "both" authentication_provider state to "op_migration" - Standardize all authentication_provider values to lowercase (op, rp, op_migration, external, unknown) - Update Authentication Takeover Process to Authentication Migration Process
…ocumentation for consistency
dickhardt
temporarily deployed
to
github-pages
GitHub Actions
Inactive
aaronpk
reviewed
Sep 15, 2025
| +------+ Command request +------+ | ||
| | |---- Command Token ---->| | | ||
| | OP | | RP | | ||
| | |<-----------------------| | | ||
| +------+ Command response +------+ | ||
| ``` | ||
|
|
||
| ## Command Usage Overview | ||
| The OP may provide a callback endpoint and a callback token for the RP to request a command be sent by the OP such as a metadata or audit_tenant command, or to send the results of an asynchronous command. |
There was a problem hiding this comment.
Why is this paragraph added in this PR? I didn't think this PR was adding anything new around callback behavior
There was a problem hiding this comment.
This is not new -- just adding clarification on how the protocol works as the callback was not described here.
|
At first glance this looks good to me. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These changes enable OPs to take over management of existing RP accounts and provide efficient account lookup using RP internal identifiers.
#25
see previous comments on old PR that I accidently closed from Karl
#27
Most of his comments have been incorporated in this PR