Interested to continue this project

[Fab1en]

Hi Kadpars, I'm Fabien, a web developer from the StartinBlox team. We are building a platform based on the SOLID ecosystem, and we found your plugin very interesting.

With some quick fixes, I was able the use a WordPress installation as a OIDC compliant WebID provider and complete a full authentication mechanism. However, this plugin is still in a "proof of concept" state and is not suitable for production use. Do you have plans to work on it soon ?

I would like to continue the work to fix the remaining issues and make it production-ready. How does it sound for you ?

[kasparsd]

This sounds great! Are you ok with opening the pull requests to this repository?

[Fab1en]

Yes, I'll do it. For the moment I have nothing to commit : I have just made some quick & dirty fixes. But I can tell you the list of issues that I have identified :

1. Use WP API routes instead of adding a query variable to manage the OIDC actions (jwks, register, authorize)
2. Allow non-authenticated users to authenticate with WordPress login screen at OIDC authorization time (today it works only if the user is already authenticated by WP at OIDC authorization time)
3. Implement a prompt screen to get proper data use authorization from the user
4. Add a mechanism to generate RSA key pair at plugin installation time (today the key is hard coded)
5. At registration time, client secret is missing (I don’t know the impact of this issue)
6. In openid-configuration request, claims_supported and id_token_signing_alg_values_supported are void.

[Fab1en]

Also, CORS headers are missing for the first /.well-known/openid-configuration request

[pinfold]

I am also very interested in this work. Can the system be extended to provide a single login (POD) for a range of systems - wordpress, mediawiki, github, etc...

[Fab1en]

@pinfold

I am also very interested in this work. Can the system be extended to provide a single login (POD) for a range of systems - wordpress, mediawiki, github, etc...

No, unfortunately this is not a SSO system. In SSO, one central system is responsible to provide the authentication part, and peripheral applications rely on this central system. With WebID the authentication part is decentralized : any system compatible with OIDC can provide the user identity.

Here, the project is to make WordPress to be one of those decentralized ID provider : your WordPress login and password would enable you to authenticate in an OIDC compatible application hosted elsewhere without creating a new account on this application.

[pinfold]

I am trying to provide the convenience of the POD and it's distributed nature while enabling the convenience of a single access point. I think something like this... https://www.healthworkscollective.com/guest-article-how-use-webid-create-single-sign-sso-across-healthcare-systems/ Would that work?