Open woutermont opened 3 years ago
acoburn
commented
3 years ago When using OpenID Connect, an identity provider should be authoritative for a single identity and therefore a single webid claim. Merging multiple identities along these lines is out of scope for Solid-OIDC.
Instead, I would encourage you to look into delegation-base authentication flows, UMA-style claims pushing or Verifiable Credential-based auth as alternatives.
woutermont
commented
3 years ago When using OpenID Connect, an identity provider should be authoritative for a single identity and therefore a single
webidclaim.
That is not really true, though, since OpenID Connect does not specify anything about additional claims such as webid. Only the local sub claim has to be a "locally unique and never reassigned identifier." Since the webid claim is only defined in Solid-OIDC itself, I therefore do not see why it would be a priori out of scope to allow more than one.
Thanks for the alternative suggestions, though. I'll look into them!
Section 6.2 of the Solid-OIDC spec reads:
While this sentence implies that the token can only include a single WebID, it is perfectly possible for a user to have multiple WebIDs (cf. #46). In the use cases where an Identity Provider knows about more than one WebID, I believe it would be preferable to have the spec accept a list of them in the claim.
This would of course impact how Resource Servers (or their respective Authorization Server) have to deal with ID Tokens, but i.m.o. only for the better: users who indeed identify with multiple WebIDs would then be able to access all resources that they would otherwise be able to access with each of the WebIDs separately in multiple tokens.
Is something like this already proposed (I could not find it)? Do you think this is a good idea?
(I'm writing this about WebIDs, but this holds more generally for all kinds of "solid claims", cf. https://github.com/solid/solid-oidc/issues/26)