non-deterministic behavior with multiple solid:oidcIssuer

[zenomt]

i originally opened this as nodeSolidServer/oidc-auth-manager#45 but here might've been better to target the right audience.

NSS/oidc-auth-manager will have inconsistent/non-deterministic behavior if a webid lists multiple solid:oidcIssuer triples.

a webid should be allowed to list multiple issuers. potential use cases:

• a user might want to use their webid with a publicly accessible provider as well as a private network ("intranet" / homenet / enterprise) provider;
• a user might want to use a normal OpenID provider and the Self-Issued OpenID Provider or static openid-configuration/jwks files, to allow for ordinary web browser access as well as command-line tool access;
• a user might be transitioning from one provider to another and need a period of overlap;
• because why not? :)

the logic right now appears to be "find the provider and compare it against the iss claim in the id_token". this can fail if there's more than one provider, depending on which of the providers is selected by anyValue().

the logic should be "confirm that the iss is an approved provider according to the user" as that is more general and tracks the user's preference and intent.

one potential issue with changing this behavior is that the comment for http://www.w3.org/ns/solid/terms#oidcIssuer is "The preferred OpenID Connect issuer URI for a given Web ID". either this comment should be changed to reflect the possibility of multiple issuers (for example, "An approved OpenID Connect issuer URI for a given Web ID"), or a different predicate should be used (perhaps http://openid.net/specs/connect/1.0/issuer?). this is also a webid-oidc-spec issue.

[jaxoncreed]

This makes sense. I've linked this to an issue in the spec discussion, so we can close it out here

https://github.com/solid/specification/issues/80

[zenomt]

@jaxoncreed i take it that if this Issue is being closed, that there's no intention to address this behavior in NSS.