-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Standardize the WebId's content as only auth-specific #48
Comments
What's interesting about this issue is -- it essentially replicates the discussion of what a DID Document is. Specifically, a minimized WebID profile (with just public key material and some links, such as to the oidcIssuer) is just a DID Document. |
It seems that current draft will only require presence of statement with Do you still see need for specyfing rdf class like |
Closely related issue here is the required RDF serialization ( solid/specification#45 ) that the consumer of the WebID Profile document should be capable of parsing. Unless specified otherwise (eg. one particular format), Turtle and JSON-LD are currently what's required in the Solid ecosystem for both clients and servers. What's the current assumption/agreement? |
@csarven I don't believe this has been explicitly discussed, but it would be good to clarify. I would be 👍 for requiring Turtle and JSON-LD as a minimum |
I seem to recall some discussion about this in a panel meeting. Maybe you missed that one @acoburn? From what I recall we agreed that that was felt that it should be added to the WebID spec itself and delegated to in the Auth spec. |
Do you mean particular requirements were raised in a meeting and that it should be incorporated in the WebID spec, or do you mean that whatever the WebID spec requires will be used by the OIDC Authentication spec here? Something else? Note also bit on WebID that I've just mentioned in solid/specification#45 (comment) . What to do here may be more clear once that issue is resolved. It'd be ideal to align the requirements for servers with somewhat different purposes. |
The Solid-OIDC specification requires the presence of one or more |
This has been talked about before, but I don't think an official issue has ever been made for this:
Problem
Currently, the WebId is considered the user's profile. It includes their name, their image, and other things about their person. In addition, it includes their authentication information like their OIDC Issuer and their certs.
This presents a problem: authentication information must always be public as it's needed for entities to confirm identity ownership. However, profile information could be public or private depending on the user's preferences, but putting it in the WebId requires this information to be public.
Note that it still would make sense to have triples related to discovery (like a pointer to a user's inbox) in the WebId, but that is out of the scope of the auth spec.
Proposal
The auth spec should dictate the minimum number of things that MUST be in the WebId, and those things should only pertain to Authentication.
The following is what I think a WebId should look like:
Three new terms are added in this proposal:
example:AuthenticatableAgent
,example:OIDCAuthenticatableAgent
, andexample:RSAPublicKeyAuthenticatableAgent
. Each of these dictate the way an agent can sign in and exist to help clients determine the methods available.Eliminating a Legacy OIDC Discovery Pattern
And while we're at it, it would also make sense to get rid of the ability to discover the OIDC provider from the headers (https://github.com/solid/webid-oidc-spec/#authorized-oidc-issuer-discovery). The primary way to discover an OIDC provider should be via the WebId document as it is more in-line with linked data.
The text was updated successfully, but these errors were encountered: