solid / webid-oidc-spec

WebID-OIDC Authentication Spec v0.1.0
MIT License
56 stars 18 forks source link

Proposal: support Self-Issued OpenID Providers as issuers for WebIDs #22

Open zenomt opened 5 years ago

zenomt commented 5 years ago

a Self-Issued OpenID Provider is a self-hosted OIDC Provider that issues self-signed ID tokens. such a self-signed ID token includes a public key in its sub_jwk claim, with which the token is signed. a self-signed ID token is identified as such with a special reserved issuer of "https://self-issued.me".

Proposal: extend the webid-oidc-spec to allow this case by:

TL;DR: ID tokens can be self-signed. validate self-signatures, confirm WebID lists the same public key, and WebID says its issuer is the self-issued OP.

Use case: a bot or other automatic agent can have a WebID. allowing the use of self-issued ID tokens with WebID-OIDC can simplify these agents and their deployments by not requiring a stub implementation of an OIDC Provider with at least its configuration and jwks endpoints just to verify ID token signatures. all that's required is hosting a single static profile document on an ordinary web server for the agent to have a WebID.

jaxoncreed commented 5 years ago

+1. We need to ensure an implementation that can allow bots to authenticate.

jaxoncreed commented 5 years ago

Had a talk with @dmitrizagidulin and he thinks this has some great implications for DiD implementations. We think there are more considerations to do before integrating it into the spec, so maybe he can talk about them here.

zenomt commented 5 years ago

@jaxoncreed @dmitrizagidulin

We think there are more considerations to do before integrating it into the spec, so maybe he can talk about them here.

ping?

zenomt commented 5 years ago

also as i mentioned in https://github.com/solid/webid-oidc-spec/issues/30#issuecomment-497854769 the spec should explicitly allow multiple solid:oidcIssuers, for the command-line tool case. that way i can have a normal OIDC Provider that i can log in with normally in my browser, and the self-issued provider for use with command-line tools. my webid https://zenomt.zenomt.com/card.ttl#me is doing this. an inline example for posterity:

@prefix cert:  <http://www.w3.org/ns/auth/cert#> .
@prefix solid: <http://www.w3.org/ns/solid/terms#> .
@prefix xsd:   <http://www.w3.org/2001/XMLSchema#> .

<#me>
    solid:oidcIssuer
        <https://oidc.example>,   # my regular OP
        <https://self-issued.me>; # for command-line tools

    cert:key [
        a cert:RSAPublicKey;
        cert:exponent 65537;
        cert:modulus "D7B6DF...A5EC"^^xsd:hexBinary # modulus abbreviated for clarity
    ].
zenomt commented 5 years ago

as i mentioned in https://github.com/solid/oidc-auth-manager/issues/45 it appears that NSS today doesn't work correctly if there are multiple solid:oidcIssuers.