Closed acoburn closed 3 years ago
@jaxoncreed how do you think we should connect this issue with work in https://github.com/solid/authentication-panel ?
@acoburn you might like to check out this rough draft of proposal for next iteration of WebID-OIDC https://github.com/solid/authentication-panel/issues/21 it also has to connect with work on authorizing apps currently done in https://github.com/solid/authorization-and-access-control-panel
I think a common problem causing these questions is that we really only outline one authentication flow. Like the cnf
claim is required only if you're going through the PoP token flow.
The discussion on this issue is ongoing in the Authentication Panel.
@acoburn does latest draft address your concerns? https://github.com/solid/authentication-panel/blob/master/oidc-authentication.md
Yes, this has been addressed
The current WebID-OIDC specification describes the use of Proof of Possession tokens, but many details are left out.
cnf
claim required?cnf
claim belong in the body or header of the JWT?key
field belong in the body or header of the ID token (or access token solid/authentication-panel#65)cnf
claim at all? (i.e. a non-PoP token; effectively, a downgrade attack)"token_type": "pop"
claim requirement as in the examples?id_token
claim be renamed? (c.f. solid/authentication-panel#65)Reference: https://tools.ietf.org/html/draft-fett-oauth-dpop-02