Skip to content
This repository has been archived by the owner on Apr 13, 2022. It is now read-only.

WebID Provider Confirmation #11

Open
namedgraph opened this issue Mar 22, 2019 · 1 comment
Open

WebID Provider Confirmation #11

namedgraph opened this issue Mar 22, 2019 · 1 comment

Comments

@namedgraph
Copy link

I don't understand the problem described in WebID Provider Confirmation.

I think the core of the problem is expecting a global WebID in the ID-token. If it would be simply derived from claim fields that can be verified in a straightforward way (e.g. iss and sub, as I propose in #10), then the need for WebID verification step goes away IMO. That verification process introduces a lot of complexity without a clear benefit.

@Sparika
Copy link

Sparika commented Apr 4, 2019

What is missing is a way for the audience of the OIDC authentication containing a webid claim (or equivalent) to verify the validity of claim. Indeed, anyone can claim a WebID in the same way that everyone could claim an email address or a web origin.

I see three scenarios:

  • Either the audience of the claim does not care about the validity of the claim. If you say this is your phone number and you doesn't get my call, that's your problem. In the end, the WebID content is declarative anyway (right?).
  • The audience trust the identity provider to have conducted appropriate verifications. This is probably trivial if the iss origin matches the WebID origin. In the case where the WebID is from another origin, is there a way for the user to prove ownership of the WebID to the identity provider? (1)
  • The audience wants to verify the validity of the WebID by itself. I'm not sure it is required in the first place, because then, what's the point of using authentication delegation in the first place.

(1) For instance, could it be possible to reuse the ACME protocol (let's encrypt) to prove ownership of the WebID to the IdP?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants