Closed namedgraph closed 3 years ago
I'll try to capture some things we discussed during the last call:
OAuth is all about user delegating access to a client. In vast majority of cases solid application will act as OAuth client and user will delegate some subset of their access to it. In the case the client (solid app) acts on behalf of the user. It doesn't make difference if that client (solid app) runs locally on the device or remotely on some server, it still acts as OAuth client.
Current primer https://solid.github.io/authentication-panel/solid-oidc-primer/ shows that example, in that case referring to the client (solid application) as Relying Party (RP). Quoting definition in that primer:
Relying Party (RP) A client application using OpenID Connect to make resource requests on behalf of the resource owner. Client is one of the four roles defined in the OAuth 2.0 specification. [RFC6749]
I will work on adding to the primer more rare case where user directly navigates their web browser to protected resource #31 . In that case Solid Storage would act as Client/Relying Party and only rely on the ID Token issued by the OIDC Provider. In this case Solid Storage hosts the resource so saying that user delegates access to it doesn't seem practical.
What I meant matches the description of an OIDC token exchange: https://www.rfc-editor.org/rfc/rfc8693.html
Current Solid-OIDC uses UMA claims to push to exchange an ID Token for Access Tokens.
When it comes to the access delegation chain, which is more about AuthZ than AuthN, I captured one of the explored directions in https://github.com/solid/data-interoperability-panel/issues/222
Can a Solid server make requests on behalf of the user using WebID-OIDC? If yes, how?
This will very likely be needed to deliver notifications (Webhook, LDN subscription types and similar). I don't think this needs a longer delegation chain, solid storage ('server') in this case will just act as the client so the ID Token which gets exchanged for Access Tokens will include following claims:
I don't see anything in https://solid.github.io/authentication-panel/solid-oidc/ about delegation. Can a Solid server make requests on behalf of the user using WebID-OIDC? If yes, how?
Delegation is possible using WebID-TLS and the
On-Behalf-Of
header: https://www.w3.org/wiki/WebID/Authorization_Delegation#Auth_Sequence