Clarify requirement and use of PoP tokens in WebID-OIDC protocol

[acoburn]

The current WebID-OIDC specification describes the use of Proof of Possession tokens, but many details are left out.

1. Is the cnf claim required?
2. Does the cnf claim belong in the body or header of the JWT?
3. Does the key field belong in the body or header of the ID token (or access token solid/authentication-panel#65)
4. It is clear that an RS must reject a token with certain mismatched data, but must it also reject a token that doesn't contain the cnf claim at all? (i.e. a non-PoP token; effectively, a downgrade attack)
5. Is there a "token_type": "pop" claim requirement as in the examples?
6. Should the id_token claim be renamed? (c.f. solid/authentication-panel#65)

Reference: https://tools.ietf.org/html/draft-fett-oauth-dpop-02

[elf-pavlik]

@jaxoncreed how do you think we should connect this issue with work in https://github.com/solid/authentication-panel ?

@acoburn you might like to check out this rough draft of proposal for next iteration of WebID-OIDC https://github.com/solid/authentication-panel/issues/21 it also has to connect with work on authorizing apps currently done in https://github.com/solid/authorization-and-access-control-panel

[jaxoncreed]

I think a common problem causing these questions is that we really only outline one authentication flow. Like the cnf claim is required only if you're going through the PoP token flow.

[kjetilk]

The discussion on this issue is ongoing in the Authentication Panel.

[elf-pavlik]

@acoburn does latest draft address your concerns? https://github.com/solid/authentication-panel/blob/master/oidc-authentication.md

[acoburn]

Yes, this has been addressed