Log in via many and multiple identity providers

[bjdmeest]

Pitch

Looking at the current identity providers at, e.g. the Flemish government, there's an abundance of options: ItsMe, via eID, ... How does the Solid paradigm align with the current landscape? What is needed to provide the same level of trust by the user, or even better: can we make the experience seamless? How? Is something missing in the Solid protocols?

Desired solution

• Security threat evaluation of the Solid OIDC specifications, with a focus on smooth upgrade path of existing established solutions
  • Ideally, there's a secure alignment possible to use existing (OAuth) providers to log into your Solid pod.
  • Otherwise, (technical) mitigation paths are outlined

Acceptance criteria

• A seamless integration of existing IDPs and Solid-OIDC
• A security thread evaluation

Pointers

• OAuth 2 / OIDC
• Solid-OIDC

[RubenVerborgh]

Can we make the list of IDPs specific? Then this challenge is ready to go.

[laurensdeb]

@RubenVerborgh: An option would be to use (a) the IdP in the Community Solid Server alongside (b) a traditional OIDC IdP like KeyCloak combined with the open-source Digita ID Proxy for Solid-OIDC support like described here.

In terms of what we've found to be missing:

• How does one link a new IdP to an existing WebID? The WebID specification does not provide us with any pointers. This goes in both directions, i.e. how should the IdP know that the WebID belongs to its user and how does the WebID provider know to add the IdP to the profile.
• If multiple IdPs are present, how should these be used in interactions with the end-user? Should we show all IdPs, and how do we prioritize them? What if the acp:issuer attribute is used for authorizing access, how do we then know a user should log in with another IdP?
• It does not seem possible to obtain a full decoupling between WebID minter and IdP at this point. How does that affect interoperability?

We have been considering these issues at Digitaal Vlaanderen in the context of our use cases. So we would be happy to provide some of our insights if work starts on this challenge.

[pheyvaer]

@bjdmeest Can you have a look at @RubenVerborgh's comment? @RubenVerborgh Does @laurensdeb's answer already help?

[bjdmeest]

Honestly, I'm a proxy for this challenge, I don't have full expertise on this. @laurensdeb, could you maybe provide a suggestion to a better description for this challenge (basically join your comment with my initial proposal)?