Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define Behaviour for Multiple OpenId issuers for a WebID #63

Closed
jaxoncreed opened this issue Sep 27, 2019 · 10 comments
Closed

Define Behaviour for Multiple OpenId issuers for a WebID #63

jaxoncreed opened this issue Sep 27, 2019 · 10 comments
Labels
can-be-closed? This issue is slated to be closed Solid-OIDC Solid-OIDC Authentication Spec - Draft

Comments

@jaxoncreed
Copy link
Contributor

As a reference to this issue: nodeSolidServer/node-solid-server#1266

Currently, the Solid spec does not explicitly define behaviour for a user who's WebID lists multiple OpenID issuers. The normative spec should indicate that when dereferencing a WebID's issuers a server must not reject a token if any of the issuers match the issuer in the token.
@elf-pavlik
Copy link
Member

If we go with requiring User's IdP to also act as User associated Authorization Server it may mean that in practice User would need to choose one. Otherwise Which AS would stay responsible for managing user authorizations for which client?

@TallTed
Copy link
Contributor

TallTed commented Oct 4, 2019

@elf-pavlik

in practice User would need to choose one

for each interaction.

What happens if you set up an account based on an ID from IdP A, which lists IdP A+B+C, using IdP B as initial AS, and then IdP goes down, temporarily or permanently? Should you be unable to get authorization based on authentication with IdP A or C?

@jaxoncreed
Copy link
Contributor Author

What happens if you set up an account based on an ID from IdP A... and then IdP goes down, temporarily or permanently

The user's ID is not on the IDP, the webID would be something completely separate, so if the WebID goes down, then that's a whole different problem. But in short, no, if your WebID goes down you should not be able to get authorization based on any IDP.

@elf-pavlik
Copy link
Member

for each interaction.

I think if someone would use multiple Authorization Server, that User most likely will pick one AS for any given Client (app). I guess app doing discovery before asking User for authorization it could ask which AS that User wants to use with that app.

The user's ID is not on the IDP

Yes, we don't make any assumption about where User publishes one's WebID Profile.

solid

@RubenVerborgh
Copy link

Side-notes that:

  • oidcIssuer is probably not the correct name (more something like "trusted identity provider")
  • the fact that the value of oidcIssuer is plaintext, might not be desired; this could invite people to DDOS attacks on a private IDP etc. Instead, we might want some cryptographic value here, such that the IDP can prove it can act on my behalf.

@elf-pavlik
Copy link
Member

the fact that the value of 'oidcIssuer' is plaintext, might not be desired

I think one should be able to enter one's own WebID in the app and let it discover all the rest. Also one could do DDOS attack directly on WebID, especially that many deployments may choose to run storage server and identity provider together.

@RubenVerborgh
Copy link

I think one should be able to enter one's own WebID in the app and let it discover all the rest.

There are use cases for both; some might want to enter their IDP, some their WebID.

For usability arguments (which are important), neither is probably optimal. Browser autocompletion seems like a good direction.

@dmitrizagidulin
Copy link
Member

@RubenVerborgh

oidcIssuer is probably not the correct name (more something like "trusted identity provider")

Hmm, I'm not sure. That triple is specifically for OIDC provider semantics. (Maybe we can have rdfs or owl subclass or whatever, so that one can infer that it's a subset of "trusted identity provider"?)

the fact that the value of oidcIssuer is plaintext, might not be desired; this could invite people to DDOS attacks on a private IDP etc. Instead, we might want some cryptographic value here, such that the IDP can prove it can act on my behalf.

Oooooh interesting! That's a really great question.

(I've opened an issue about this on the DID Spec repo, since it might be of interest to the DID community as well.)

@csarven csarven transferred this issue from solid/specification Aug 7, 2020
@elf-pavlik
Copy link
Member

I think wording based around "Statement matching triple ?sub <http://www.w3.org/ns/solid/terms#oidcIssuer> ?iss covers issued by any of user designated issuers. For DDOS we may need to create separate issue.

@csarven csarven added the Solid-OIDC Solid-OIDC Authentication Spec - Draft label Aug 9, 2020
@acoburn acoburn added the can-be-closed? This issue is slated to be closed label Jan 15, 2021
@acoburn
Copy link
Member

acoburn commented Jan 25, 2021

I think wording based around "Statement matching triple ?sub http://www.w3.org/ns/solid/terms#oidcIssuer ?iss covers issued by any of user designated issuers.

As stated above, this current Solid-OIDC specification draft answers this question: https://solid.github.io/authentication-panel/solid-oidc/#resource-access-validation

@acoburn acoburn closed this as completed Jan 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
can-be-closed? This issue is slated to be closed Solid-OIDC Solid-OIDC Authentication Spec - Draft
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@csarven @justinwb @RubenVerborgh @elf-pavlik @dmitrizagidulin @acoburn @TallTed @jaxoncreed