You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 13, 2022. It is now read-only.
I think the core of the problem is expecting a global WebID in the ID-token. If it would be simply derived from claim fields that can be verified in a straightforward way (e.g. iss and sub, as I propose in #10), then the need for WebID verification step goes away IMO. That verification process introduces a lot of complexity without a clear benefit.
The text was updated successfully, but these errors were encountered:
What is missing is a way for the audience of the OIDC authentication containing a webid claim (or equivalent) to verify the validity of claim. Indeed, anyone can claim a WebID in the same way that everyone could claim an email address or a web origin.
I see three scenarios:
Either the audience of the claim does not care about the validity of the claim. If you say this is your phone number and you doesn't get my call, that's your problem. In the end, the WebID content is declarative anyway (right?).
The audience trust the identity provider to have conducted appropriate verifications. This is probably trivial if the iss origin matches the WebID origin. In the case where the WebID is from another origin, is there a way for the user to prove ownership of the WebID to the identity provider? (1)
The audience wants to verify the validity of the WebID by itself. I'm not sure it is required in the first place, because then, what's the point of using authentication delegation in the first place.
(1) For instance, could it be possible to reuse the ACME protocol (let's encrypt) to prove ownership of the WebID to the IdP?
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I don't understand the problem described in WebID Provider Confirmation.
I think the core of the problem is expecting a global WebID in the ID-token. If it would be simply derived from claim fields that can be verified in a straightforward way (e.g.
iss
andsub
, as I propose in #10), then the need for WebID verification step goes away IMO. That verification process introduces a lot of complexity without a clear benefit.The text was updated successfully, but these errors were encountered: