Open bourgeoa opened 1 year ago
We are waiting for some input from the WebID spec.
The oidc:Issuer is required by the Solid-OIDC spec. Everything else is up in the air as to whether it will be a MUST in the coming spec. But at a minimum all the predicates you show will be strong recommendations (I hope). Regardless of whether they are a MUST, I do not see any advantage and multiple disadvantages to not including them in default profiles.
What I do see as a very critical issue is that we should disallow editing of the oidcIssuer. Make users request changes to it by email. A mistake in the oidcIssuer blocks the user from authenticating with their WebID. A bad actor replacement of the oidcIssuer would hijack the entire account.
@jeff-zucker Do you have any hints to what minimal controls on a card WebID should contain ? Are all the following needed
I'm not sure the last 3 are a MUST.