Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC issuer discovery when WebID is not publicly readable #80

Open
elf-pavlik opened this issue Feb 14, 2022 · 1 comment
Open

OIDC issuer discovery when WebID is not publicly readable #80

elf-pavlik opened this issue Feb 14, 2022 · 1 comment

Comments

@elf-pavlik
Copy link
Member

Capturing from #51

@elf-pavlik: I think it's worth considering if we should keep the added complexity by having an implicit mechanism.

@RubenVerborgh: A reason for that would be: what if the WebID is not publicly accessible, or a least not accessible by the IdP?

@elf-pavlik: Are all components for the specification being designed in a way that doesn't depend on publicly accessible WebID Document?

@RubenVerborgh: Let me phrase it differently: I don't think many depend on it.

Curren WebID draft has non-normative statement in Privacy section

A WebID Profile is a public document that may contain public as well personal information about the agent identified by the WebID. As some agents may not want to reveal a lot of information about themselves, RDF and Linked Data principles allows them to choose how much information they wish to make publicly available. This can be achieved by separating parts of the profile information into separate documents, each protected by access control policies.

This suggests the assumption of WebID Document being public read.

@acoburn suggested during today's meeting that Solid-OIDC could require WebID Document to be publicly read.

We also discussed during one of past meetings that if WebID Document isn't public, the HTTP Link header of the response would still need to include a statement for each issuer.

@jeff-zucker are there any other places where the assumption of WebID Document being public read (or not) are discussed?

Interop spec also relies on the discovery of Authorization Agent from public read WebID Document (interop:hasAuthorizationAgent).

The mentioned suggestion in the current WebID Draft could be served by References Lists we work on in interop panel solid/data-interoperability-panel/issues/174 That would allow discovering separate protected resource which for example would include all the statements where WebID is the subject and foaf:knows the predicate. /cc @justinwb
@elf-pavlik elf-pavlik mentioned this issue Feb 14, 2022
Closed
@jeff-zucker
Copy link
Member

Since the WebID document and the Profile document can be either different documents (ESS) or the same document (NSS), the discovery process that works for all servers is

  1. Load the document pointed to by the WebID URI.
  2. If that document contains a foaf:PrimaryTopicOf predicate, load the triple's object.

We now have the Profile Document regardless of whether the WebID URI points directly or indirectly to it.

How would this work if the WebID document is not publicly readable? What would be the steps we could tell a developer to arrive at the Profile document? Considering that they won't know in advance which type of server or whether the document that they get on dereferencing the WebID URI is publicly readable or not.

@elf-pavlik elf-pavlik mentioned this issue Feb 15, 2022
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elf-pavlik @jeff-zucker