Comments (9)
<https://alice.example/>
solid:oidcIssuer <https://acme.example/>,
<https://yoyodyne.example/> .
Alice uses one WebID https://alice.example/
and delegates to two OPs rights to issue id_token
for that WebID https://acme.example/
and https://yoyodyne.example/
.
solid:oidcIssuer
plays role in https://github.com/solid/webid-oidc-spec/blob/master/application-user-workflow.md#6-checks-issuer
from authorization-panel.
@bblfish Can someone describe the use case for one (Web)Id and multiple Id providers?
different ID providers might support different authentication/login schemes that might be appropriate to different environments (example: login/password for one, client certificate for another), or a user might be transitioning from one id provider to another, or one of them might be the OIDC self-issuer, or one of them might be a specially privileged intranet one and the other a more ordinary global one, or because the user feels like it and should be free to have as many issuers as she wants.
from authorization-panel.
zenomt suggested that OP could store results of user granting permission on consent screen to solid storage provided by the user.
not exactly. i have suggested that the user's permission grants to her apps be by URIs in location(s) designated by the user (in her profile), where the URIs are dereferenced to obtain the actual permissions granted to the app. i have suggested that a permission management app could be one way that permission grant documents can end up in an approved location, and that in some implementations an OP could do double-duty as the permission manager, which might yield a good user experience.
a document with a URI in an approved (according to the user's profile) location is just as good as a credential signed by an approved (according to the user's profile) issuer, but with no extra cryptography required (and it's a lot simpler).
the user could have any number of permission managers. the app just needs to know the URIs of its grant documents (presumably via a preference also maintained by the permission manager).
from authorization-panel.
I have created separated issue Client Capabilities: Verifiable Credential Proofs vs. Special discoverable prefix in storage solid/authentication-panel#60 to discuss details of verifying capability credentials presented by the client.
i have suggested that the user's permission grants to her apps be by URIs in location(s) designated by the user (in her profile), where the URIs are dereferenced to obtain the actual permissions granted to the app. i have suggested that a permission management app could be one way that permission grant documents can end up in an approved location, and that in some implementations an OP could do double-duty as the permission manager, which might yield a good user experience.
the user could have any number of permission managers. the app just needs to know the URIs of its grant documents (presumably via a preference also maintained by the permission manager).
I think for that to work client could only present capability credentials created after user's interaction with consent screen. We have discussed possibility where OP based on result of user consent screen could produce credentials for specific audience. I think we still need to clarify use cases which would motivate such requirements, in case it comes into play, do you see a way to create audience specific client capability credentials 'on demand' ?
from authorization-panel.
by "audience specific", do you mean specific to the client to which it was issued (example: same app, different device), or do you mean different capabilities for different resource servers?
one way "client•device specific" (which i think will not accord with an ordinary user's expectations) can be accommodated is by ensuring each client•device instance has a distinct app id. "on demand" can be accommodated, should that ever be needed, by having an authorized location for these URIs be a dynamic API endpoint instead of simple storage.
"different resource servers" is already accommodated in my concrete proposal, where an acl:AppAuthorization
applies either as default (acl:origin "*"
) or to a specific origin and potentially to a specific protection space/realm at an origin. one thing i've been considering for the presentation side is allowing multiple App Authorizations to be presented at once, so an app could present the default one and one specific for that RS. this could be accomplished by allowing an array (if using JSON, for example in a proof token), or multiple instances (if using an HTTP Link request header or POST
body parameters).
being able to specify multiple App Authorization URIs at once can also be used for the "client•device specific" case (with OIDC) if some App Authorizations were to apply to a shared app id and some applied to a device-specific client id.
from authorization-panel.
Can someone describe the use case for one (Web)Id and multiple Id providers?
from authorization-panel.
or one of them might be a specially privileged intranet one and the other a more ordinary global one
I think we may need to specify that if client accepts WebID as user input, for cases where resolved WebID Profile delegates to multiple OPs, client SHOULD prompt the user to select one specific OP for that interaction. This would only apply to clients and RS just needs to verify that any of the OPs issued the token.
from authorization-panel.
client SHOULD prompt the user to select one specific OP for that interaction
Agreed. I think this would eliminate most problems that could be encountered.
from authorization-panel.
Authorization Agent mentioned it #29 (comment) would be responsible for AuthZ. OP only stays responsible for AuthN.
Authorization Agent indeed stores Access Authorizations in Authorization Registry on solid storage specified by the user in RegistrySet.
from authorization-panel.
Related Issues (20)
- Required Credentials Discovery HOT 6
- support Trig serialization of Access Control Resources
- define a 2nd relation for ACRs to go with "acl" HOT 1
- Ideas for access modes and corresponding operations in the Protocol HOT 53
- acp:CreatorAgent logic HOT 5
- place meeting minutes on "draft-minutes" branch HOT 3
- Process Point of Order in meeting 2021-09-29 HOT 15
- ACP Draft design flaw HOT 18
- Distinction between policies which can be enforced by technology and by law HOT 5
- Enforce a secure default for client restrictions HOT 5
- Consider ACP matcher for conditional by relationship
- Update authorization-ucr's editors HOT 5
- Specify that the modes available are calculated using the resolution algorithm.
- Remove acp:mode from Context properties HOT 2
- Cannot match a context that contains a client/issuer HOT 4
- ACP vocabulary base URI problems HOT 1
- Serve ACP vocabulary from its base URI
- Authorization focused meetings HOT 13
- Clarify and/or mitigate risks related to negation (acp:deny) HOT 2
- ACP acronym also used for: Authoritative Claims Provider (OIDC + VC)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authorization-panel.