Sparika
commented
5 years ago What is missing is a way for the audience of the OIDC authentication containing a webid claim (or equivalent) to verify the validity of claim. Indeed, anyone can claim a WebID in the same way that everyone could claim an email address or a web origin.
I see three scenarios:
- Either the audience of the claim does not care about the validity of the claim. If you say this is your phone number and you doesn't get my call, that's your problem. In the end, the WebID content is declarative anyway (right?).
- The audience trust the identity provider to have conducted appropriate verifications. This is probably trivial if the
issorigin matches the WebID origin. In the case where the WebID is from another origin, is there a way for the user to prove ownership of the WebID to the identity provider? (1) - The audience wants to verify the validity of the WebID by itself. I'm not sure it is required in the first place, because then, what's the point of using authentication delegation in the first place.
(1) For instance, could it be possible to reuse the ACME protocol (let's encrypt) to prove ownership of the WebID to the IdP?
I don't understand the problem described in WebID Provider Confirmation.
I think the core of the problem is expecting a global WebID in the ID-token. If it would be simply derived from claim fields that can be verified in a straightforward way (e.g.
issandsub, as I propose in #10), then the need for WebID verification step goes away IMO. That verification process introduces a lot of complexity without a clear benefit.