elf-pavlik
commented
3 years ago I'll try to capture some things we discussed during the last call:
OAuth is all about user delegating access to a client. In vast majority of cases solid application will act as OAuth client and user will delegate some subset of their access to it. In the case the client (solid app) acts on behalf of the user. It doesn't make difference if that client (solid app) runs locally on the device or remotely on some server, it still acts as OAuth client.
Current primer https://solid.github.io/authentication-panel/solid-oidc-primer/ shows that example, in that case referring to the client (solid application) as Relying Party (RP). Quoting definition in that primer:
Relying Party (RP) A client application using OpenID Connect to make resource requests on behalf of the resource owner. Client is one of the four roles defined in the OAuth 2.0 specification. [RFC6749]
I will work on adding to the primer more rare case where user directly navigates their web browser to protected resource #31 . In that case Solid Storage would act as Client/Relying Party and only rely on the ID Token issued by the OIDC Provider. In this case Solid Storage hosts the resource so saying that user delegates access to it doesn't seem practical.
namedgraph
I don't see anything in https://solid.github.io/authentication-panel/solid-oidc/ about delegation. Can a Solid server make requests on behalf of the user using WebID-OIDC? If yes, how?
Delegation is possible using WebID-TLS and the
On-Behalf-Ofheader: https://www.w3.org/wiki/WebID/Authorization_Delegation#Auth_Sequence