-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
how are redirect_urls authenticated? #22
Comments
there are two main issues with the the authenticity of the the Resource Server ultimately has to believe the user about the note that the user herself can cause an OP to claim a different |
Thanks for the details. So for web sites that ask you to login via say Twitter or Github, such as the solid forum page the What is the |
We use the origin of the To clarify, the origin header is used to identify an app, but not to authenticate it. The redirect_url embedded in the token is used to do that. See |
I think the proposal in User controlled Authorization App would enable the Authorization App loaded from a secure Origin and holding the private keys for all applications launched, to know the exact url of each launched app, since those were the urls used to launch the apps. This makes it possible to now both identify the App type (the launch URL) and the App instance, using a private key controlled by the App Launcher. The App Launcher could the even give the App instance (running in a particular browser) a particular WebID (though blank nodes will also do, as keys are inverse functional properties). So the App Launcher could write to the users personal Pod the following triples for each app: </app/calendar#FirefoxOnLinux> a :App;
:appLaunch <https://office.app/2019/Calendar.html>;
:browser "...";
cert:key [ ... ] . |
I think we can close this issue and follow up in other related issues
In both of them we need to address what role Otherwise we should define some criteria for resolving this issue, preferably by PR. |
Agreed. We'll continue the conversation in those |
As I understand identifying Apps indirectly via the
Origin
header is now no no longer correct, and one should use the redirect_url of OAuth as an identifier for the app. It is clear that Origins are much too broad to identify a single application.I am not sure though how the OAuth Authorization server authenticates the app? How does the OAuth server distinguish one app from an origin from another?
The text was updated successfully, but these errors were encountered: