Closed acoburn closed 3 years ago
severin-dsr
commented
4 years ago JWT has really specific use (stateless session information and third party authorization) with drawbacks and is often misunderstood. Many articles talk about this. This one is quite well written : http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ If I'm not mistaken Session token / cookie is still the best way to handle this here
severin-dsr
commented
4 years ago Some workflow on OIDC to help the discussion on this: https://backstage.forgerock.com/docs/am/5.1/oidc1-guide/images/openid-connect-basic.png https://medium.com/@awskarthik82/simple-guide-to-saml-vs-oidc-33a3349189c6
Authorization Token: in 302 redirect url parameter ID token, Access Token and Refresh Token: Should be stored in cookies for security concern
RubenVerborgh
commented
4 years ago Many articles talk about this. This one is quite well written : http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ If I'm not mistaken Session token / cookie is still the best way to handle this here
Note that most of those articles have very different circumstances in mind, where there is one client for one back-end. Solid has many clients for many back-ends. These circumstances invalidate some (but not all) of the arguments of those articles, so we cannot take their conclusions them at face value.
jaxoncreed
commented
4 years ago Just to note some of the things that we've discussed before
iss field that refers to the IDPsub field that refers to the user's WebIDaud field that refers to the application (RP)exp and iat field for expiration and issued-attoken_type: 'pop' field (Though we might want to consider adding the type requirement for other tokens)access_token: 'SIGNED_ACCESS_TOKEN' field which includes the access token signed by the IDPiss field that refers to the app itself (RP)aud field that refers to the resource server (RS)exp and iat field for expiration and issued-at
kjetilk
commented
4 years ago In addition to the discussion here, is this also being discussed in the Authentication Panel?
jaxoncreed
commented
4 years ago @kjetilk Yep. These are making their way into the auth spec
michielbdejong
commented
4 years ago @dmitrizagidulin bump
michielbdejong
commented
4 years ago Just so I understand, the client first interacts with an IDP, then it obtains the necessary things for constructing the access token, and then it interacts with a resource server, presenting the access token, right?
Does this issue only change the format of the access token, or also the interaction between client and IDP?
RubenVerborgh
commented
4 years ago I'm just going to throw it out here, but would we want to slap a JSON-LD context on there for universal interpretability? We'd have to be mindful about size though, and pick something easily compressible like "@context:" "https://oidc.context/".
michielbdejong
commented
4 years ago Just talked to @jaxoncreed, turns out that both the client/IDP interaction and the client/storage interaction are changing. So a reasonable migration plan might be:
elf-pavlik
commented
3 years ago does latest draft address everyone's concerns? https://github.com/solid/authentication-panel/blob/master/oidc-authentication.md
justinwb
commented
3 years ago Resolved in latest version of https://github.com/solid/authentication-panel/blob/master/oidc-authentication.bs
Under OIDC, ID tokens must be structured as a JSON Web Token (JWT), which gives structure to those tokens. With OIDC, access tokens are often structured as JWTs, but that is not a hard requirement. If the WebID-OIDC protocol moves toward using access tokens in the interaction between a relying party and a resource server, it may make sense to formalize the structure of these tokens as JWTs with certain required fields.