This repository has been archived by the owner on Apr 13, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 18
Various Documentation improvements #27
Merged
dmitrizagidulin
merged 17 commits into
solid:master
from
jaxoncreed:various-documentation
Aug 12, 2019
Merged
Changes from 7 commits
Commits
Show all changes
17 commits
Select commit
Hold shift + click to select a range
a30c4c5
PoP tokens documentation
jaxoncreed c64b85b
Fix dmitri and michiel issues
jaxoncreed c10527b
Replaced wrongly identified RP with RS
jaxoncreed cf229ee
In depth documentation up to auth request
jaxoncreed 7bff76a
Update sequence Diagram
jaxoncreed 6e50af8
Finish the detailed application workflow
jaxoncreed 0f24e25
Change photo filename
jaxoncreed 0fa853b
Ruben fixes
jaxoncreed a7896c1
Fix typos and add more steps
jaxoncreed 481d930
Added steps for clarification
jaxoncreed d389c3e
Updated numbers
jaxoncreed 9237fdc
Fixed spellin/grammar
jaxoncreed 4990732
Capitalize OIDC
jaxoncreed ece65c9
Fix WebID Capitalization
jaxoncreed e1725a1
Small corrections
a54c0b4
Added link to Application Workflow Detailed
ed1aaaf
Changed file name to avoid confusion
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -43,7 +43,7 @@ See also: [Motivation for WebID-OIDC](motivation.md). | |
### Benefits and Capabilities | ||
|
||
* Fully decentralized cross-domain authentication (any peer node can serve as | ||
an identity provider as well as a relying party to any other node) | ||
an identity provider as well as a relying party to any other node) made possible by [PoP Tokens](https://tools.ietf.org/html/rfc7800). | ||
* Builds on decades of real-world authentication industry experience | ||
* Incorporates lessons from, and fixes to threat models of: SAML, OpenID and | ||
OpenID 2, OAuth and OAuth 2. See, for example, [RFC 6819 - OAuth 2.0 Threat | ||
|
@@ -99,6 +99,8 @@ WebID-OIDC makes the following changes to the base OpenID Connect protocol | |
* Specifies the [Authorized OIDC Issuer | ||
Discovery](#authorized-oidc-issuer-discovery) process (used as part of | ||
Provider Confirmation, and during Provider Selection steps). | ||
* Utilizes [PoP tokens](https://tools.ietf.org/html/rfc7800) as a means to | ||
access a wide array of resource providers. | ||
|
||
It's also worth mentioning that while traditional OpenID Connect use cases are | ||
concerned with retrieving user-related claims from [UserInfo | ||
|
@@ -300,6 +302,24 @@ that profile, she would add the following triple to her profile: | |
<#me> solid:oidcIssuer <https://provider.com> . | ||
``` | ||
|
||
## Securing tokens for multiple resource servers | ||
|
||
#### The Problem | ||
|
||
Unlike standard implementations of OIDC, WebID-OIDC must deal with a number of RSs many of which the OP will not know about. OIDC defines the `aud` claim which defines the RSs for which a token can be used. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. But we are using a standard, right? Important that people understand this is not a custom extension. |
||
|
||
However, given Solid's use case, a token should be usable for any RS so the user may federate a query across multiple Pods, so the `aud`ience cannot be constrained. Yet, an unconstrained `aud`ience opens up the possibility of token stealing. In this case, a user sends a request to `evilPod.example`. The Pod returns the requested information, but now has the user's token and may pretend to be the user on any other Pod in the world. | ||
|
||
#### The Solution | ||
|
||
The solution employs [Proof of Possession (PoP) tokens](https://tools.ietf.org/html/rfc7800) changing the way the Bearer token is constructed: | ||
|
||
1. A client application generates a short-lived public and private key. | ||
2. The client generates a request `JWT` just as it would under normal OIDC with the addition of a `key` field containing the public key. | ||
3. Authentication proceeds normally and yields a signed `id_token` where the `aud`ience is the client application (represented by the `origin` of the provided `redirect_uri`) and an additional field `cnf` is provided containing the client's public key. | ||
4. Before sending requests to any RSs, the client generates a new signed JWT PoP token containing the RS's uri as the `aud`ience and an `id_token` feild containing the `id_token` provided by the OP. | ||
5. When an RS receives the PoP token, it MUST reject any tokens containing a mismatched audience or a signature that is not associated with the public key in the `cnf` claim. | ||
|
||
## Detailed Sign In Workflow Example | ||
|
||
To walk through a more detailed example for WebID-OIDC login, refer to the | ||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps say a word about what they are, or at least expand acronym?