Clarify which issuers are implicitly trusted. #52
Conversation
RubenVerborgh
force-pushed
the
fix/trusted-issuers
branch
from
2262ed3 to
656426a
Compare
| @@ -350,7 +350,7 @@ With the `webid` scope, the DPoP-bound Access Token payload MUST contain these c | |||
|
|
|||
| <pre highlight="json"> | |||
| { | |||
| "webid": "https://janedoe.com/web#id", | |||
| "webid": "https://jane.doe.example/web#id", | |||
There was a problem hiding this comment.
Changed in order to have subdomain examples below
|
|
||
| Unless the RS acquires IdP keys through some other means, or the RS chooses to reject tokens issued by this IdP, | ||
| the RS MUST follow OpenID Connect Discovery 1.0 [[!OIDC.Discovery]] to find an IdP's signing keys (JWK). | ||
|
|
||
| ### WebID Issuer Discovery via Link Headers ### {#webid-issuer-discovery} | ||
|
|
||
| A server hosting a WebID document MAY transmit the `http://www.w3.org/ns/solid/terms#oidcIssuer` values via Link Headers but it MUST be the same as in the RDF representation. A client MUST treat the RDF in the body of the WebID document as canonical but MAY use the Link Header values as an optimization. |
There was a problem hiding this comment.
I removed this section because it was unclear how this could be enforced.
To me,
A client MUST treat the RDF in the body of the WebID document as canonical
means that the client still has to read the RDF body. So then also checking the header seems pointless.
I.e., I can't think of
MAY use the Link Header values as an optimization
while also enforcing the RDF as canonical.
There was a problem hiding this comment.
This can be enforced in cases where a special server understands the issuer claim in a WebID document. A live example of this is at https://id.inrupt.com/acoburn
There was a problem hiding this comment.
There are surely ways to express this more clearly in the specification text. But the point is that this is an optional feature that allows a client to avoid having to download and parse an entire RDF profile document.
There was a problem hiding this comment.
Okay; will restore. I think the canonical language is void though. No point in having that if it is not mandatory to check.
This can be enforced in cases where a special server understands the issuer claim in a WebID document. A live example of this is at
https://id.inrupt.com/acoburn
I did not understand that one though; how is the enforcement happening? Of do you mean that the server enforces this, not the client? Because the language currently reads that the client should do this.
There was a problem hiding this comment.
Or do you mean that the server enforces this, not the client?
It is a resource server, acting as an HTTP client, that enforces this. The language can certainly be clarified.
|
In a small organization or deployment where an entire domain space is managed by a single person (or small group) this notion of implicit trust makes a lot of sense. Where this breaks down is in cases where a WebID is hosted in a sub-domain space that is managed separately from the root domain. For example, if company Foo is deploying Solid in such a way that Another example is with a large hosting provider: |
Thanks, Aaron. I'm more than happy to drop the subdomain relaxation; I only added it because of #51 (comment)
Agreed; just want to note that this text is describing existing implementations in the wild, not proposing anything new. |
RubenVerborgh
force-pushed
the
fix/trusted-issuers
branch
from
656426a to
f033b8b
Compare
RubenVerborgh
force-pushed
the
fix/trusted-issuers
branch
from
f033b8b to
d3c1614
Compare
|
We discussed this PR during the panel meeting yesterday. First of all, we would like to continue the conversation in #51 to see if we could remove implicit trust altogether and always rely on the explicit statement in WebID Document and/or HTTP Link header of the response when requesting WebID. If in the issuer we decide that we indeed need some form of implicit trust. It shouldn't just match all the subdomains down to TLD. For example, having WebIDs |
|
#51 (comment) suggests a way forward, this includes closing this PR without mergning |
Fixes #51