Closed acoburn closed 3 years ago
JWT has really specific use (stateless session information and third party authorization) with drawbacks and is often misunderstood. Many articles talk about this. This one is quite well written : http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ If I'm not mistaken Session token / cookie is still the best way to handle this here
Some workflow on OIDC to help the discussion on this: https://backstage.forgerock.com/docs/am/5.1/oidc1-guide/images/openid-connect-basic.png https://medium.com/@awskarthik82/simple-guide-to-saml-vs-oidc-33a3349189c6
Authorization Token: in 302 redirect url parameter ID token, Access Token and Refresh Token: Should be stored in cookies for security concern
Many articles talk about this. This one is quite well written : http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ If I'm not mistaken Session token / cookie is still the best way to handle this here
Note that most of those articles have very different circumstances in mind, where there is one client for one back-end. Solid has many clients for many back-ends. These circumstances invalidate some (but not all) of the arguments of those articles, so we cannot take their conclusions them at face value.
Just to note some of the things that we've discussed before
iss
field that refers to the IDPsub
field that refers to the user's WebIDaud
field that refers to the application (RP)exp
and iat
field for expiration and issued-attoken_type: 'pop'
field (Though we might want to consider adding the type
requirement for other tokens)access_token: 'SIGNED_ACCESS_TOKEN'
field which includes the access token signed by the IDPiss
field that refers to the app itself (RP)aud
field that refers to the resource server (RS)exp
and iat
field for expiration and issued-atIn addition to the discussion here, is this also being discussed in the Authentication Panel?
@kjetilk Yep. These are making their way into the auth spec
@dmitrizagidulin bump
Just so I understand, the client first interacts with an IDP, then it obtains the necessary things for constructing the access token, and then it interacts with a resource server, presenting the access token, right?
Does this issue only change the format of the access token, or also the interaction between client and IDP?
I'm just going to throw it out here, but would we want to slap a JSON-LD context on there for universal interpretability? We'd have to be mindful about size though, and pick something easily compressible like "@context:" "https://oidc.context/"
.
Just talked to @jaxoncreed, turns out that both the client/IDP interaction and the client/storage interaction are changing. So a reasonable migration plan might be:
does latest draft address everyone's concerns? https://github.com/solid/authentication-panel/blob/master/oidc-authentication.md
Resolved in latest version of https://github.com/solid/authentication-panel/blob/master/oidc-authentication.bs
Under OIDC, ID tokens must be structured as a JSON Web Token (JWT), which gives structure to those tokens. With OIDC, access tokens are often structured as JWTs, but that is not a hard requirement. If the WebID-OIDC protocol moves toward using access tokens in the interaction between a relying party and a resource server, it may make sense to formalize the structure of these tokens as JWTs with certain required fields.