-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify implicitly trusted OIDC issuer #51
Comments
That discussion was just noticing that existing normal NSS users all log in happily without having that |
Thanks @RubenVerborgh
In this case, I don't see why the WebID would need to be dereferenced.
This is an excellent point. Here we would want to clarify that the URIs would need to match the scheme and port. And that the host needs to either match or be a subdomain of the issuer.
This case in particular has been the cause of many errors, especially when comparing the
This is not something I have considered before. A path like this implies a multi-tenant IdP, so might want to be more careful with this case, but if the scheme/host/port values are the same (or subdomains) of the WebID, there is already an implied trust relationship. And so I do not see why that would be any different that the cases outlined above.
Yes, I believe this is desired behavior (that parent domain(s) are trusted). |
We had some conversation about it during today's solid/authentication-panel#197 It seems that having an implicit trust can be useful for two reasons
While the first one seems pretty minor, I would like to understand when the second becomes important. @acoburn mentioned that in his implementation of IdP, in WebID Documents that it manages it does include that explicit triple. Since we need to have that explicit mechanism with |
Are all components for the specification being designed in a way that doesn't depend on publicly accessible WebID Document? |
During the call yesterday @acoburn suggested the even if WebID Document is not public, HTTP response could still include OIDC Issuer delegation in Link Header. Currently, we have it defined as an optional way of advertising it but we could consider making it required if the document itself is not public. @jeff-zucker I think it would be great to consider implications of WebID Document not being public in the Task Force working standards predicates used there. Personally, I would lean in the direction to require it to be public and provide a clear way how to extend it with non-public information. I would prefer not to dive into that too deep here and discuss it wherever the Task Force focused on WebID Document will work. |
Lower level: w3c/WebID#1 |
In case when the user makes their WebID profile private. Unless we provide explicit |
To be considered maybe is the fact that (in my understanding):
See also a detailed example: w3c/WebID#1 (comment) |
Also, I'm not an expert, but I can imagine that there are cases where someone wouldn't want to trust an issuer on the same domain as their WebID or even subdomain. I am therefore against implicit trust, it doesn't seem to solve any technical issues and introduces security concerns, sounds like a bag of crabs to me. |
No description provided.
The text was updated successfully, but these errors were encountered: