Proposal: Standardize the WebId's content as only auth-specific

[jaxoncreed]

This has been talked about before, but I don't think an official issue has ever been made for this:

Problem

Currently, the WebId is considered the user's profile. It includes their name, their image, and other things about their person. In addition, it includes their authentication information like their OIDC Issuer and their certs.

This presents a problem: authentication information must always be public as it's needed for entities to confirm identity ownership. However, profile information could be public or private depending on the user's preferences, but putting it in the WebId requires this information to be public.

Note that it still would make sense to have triples related to discovery (like a pointer to a user's inbox) in the WebId, but that is out of the scope of the auth spec.

Proposal

The auth spec should dictate the minimum number of things that MUST be in the WebId, and those things should only pertain to Authentication.

The following is what I think a WebId should look like:

@prefix : <#>.
@prefix solid: <http://www.w3.org/ns/solid/terms#>.
@prefix cert: <http://www.w3.org/ns/auth/cert#>.
@prefix xsd: <http://www.w3.org/2001/XMLSchema#>.
@prefix example: <https://example.com#>

:me
    a example:AuthenticatableAgent, example:OIDCAuthenticatableAgent, example:RSAPublicKeyAuthenticatableAgent;
    cert:key
        [
            a cert:RSAPublicKey;
            cert:exponent 65537;
            cert:modulus
                "AB564BF3F36A712A6D17CE87EE49185D802DAF82313C925D51E82ED618200CFDF1542717F41A6D39C01726967A40A170547B050540A089B61A4143DBD4E360EBAC6F086F37A40CDAE61F33AE2181A187B3BE861D9ABF8A439532D0B4DAAB83686508CFB88627F77A8F0D117231521AE095334B28CAEC8FD2928C8A29CB15C38C27DA8B9426478BFB00CED71FB1904C9B0D27E2C4FF9F37882A917BD54957D4D9215E3625B8E195CCF2E8B18A528F9E4D1A19E525AF54CDB0804599DA9786D210AA04821977C7AF8F9C03BA1094F695A19F3C4B52DE9FC11ED14616559FC1DE0C610FBDC0F0DE5D817C417A4A5E6AC3FCD1C7B3F6B574BAFBD36E4B23164CE7D9"^^xsd:hexBinary
        ];
    solid:oidcIssuer <https://solid.community>.

Three new terms are added in this proposal: example:AuthenticatableAgent, example:OIDCAuthenticatableAgent, and example:RSAPublicKeyAuthenticatableAgent. Each of these dictate the way an agent can sign in and exist to help clients determine the methods available.

Eliminating a Legacy OIDC Discovery Pattern

And while we're at it, it would also make sense to get rid of the ability to discover the OIDC provider from the headers (https://github.com/solid/webid-oidc-spec/#authorized-oidc-issuer-discovery). The primary way to discover an OIDC provider should be via the WebId document as it is more in-line with linked data.

[dmitrizagidulin]

What's interesting about this issue is -- it essentially replicates the discussion of what a DID Document is. Specifically, a minimized WebID profile (with just public key material and some links, such as to the oidcIssuer) is just a DID Document.

[elf-pavlik]

It seems that current draft will only require presence of statement with solid:oidcIssuer (except when 'on the same domain' as IdP). It also doesn't include issuer discovery via HTTP Header as we all seemed to agree on.

Do you still see need for specyfing rdf class like example:OIDCAuthenticatableAgent or we can close this issue?

[csarven]

Closely related issue here is the required RDF serialization ( solid/specification#45 ) that the consumer of the WebID Profile document should be capable of parsing. Unless specified otherwise (eg. one particular format), Turtle and JSON-LD are currently what's required in the Solid ecosystem for both clients and servers. What's the current assumption/agreement?

[acoburn]

@csarven I don't believe this has been explicitly discussed, but it would be good to clarify. I would be 👍 for requiring Turtle and JSON-LD as a minimum

[EndlessTrax]

I seem to recall some discussion about this in a panel meeting. Maybe you missed that one @acoburn? From what I recall we agreed that that was felt that it should be added to the WebID spec itself and delegated to in the Auth spec.

[csarven]

Do you mean particular requirements were raised in a meeting and that it should be incorporated in the WebID spec, or do you mean that whatever the WebID spec requires will be used by the OIDC Authentication spec here? Something else?

Note also bit on WebID that I've just mentioned in solid/specification#45 (comment) . What to do here may be more clear once that issue is resolved. It'd be ideal to align the requirements for servers with somewhat different purposes.

[acoburn]

The Solid-OIDC specification requires the presence of one or more solid:oidcIssuer triples. Other data is out of scope for this specification.