You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During AuthZ panel we discussed some scenarios where WebID Profile shouldn't disclose some specific OIDC issuers.
Those cases relate mostly to cases where certain security domain requires specific OP, but the user doesn't want to disclose in their WebID Profile any association with that security domain.
I think we have a few options here, one would recognize that in mentioned scenario RS associated AS already would know which IdP they can trust, so it wouldn't need to rely on OIDC Issuer discovery. In that case, we probably want to provide a way for OP to verify the user's control over the given WebID.
Another option would connect to a prior discussion about Self-issued OIDC #91 where WebID Profile could publish the trusted public key, without having to disclose the issuer. I would see it as an alternative, not a replacement to solid:oidcIssuer the issuer.
In that case, OP couldn't rotate keys independently, I would consider recommending that OP creates dedicated key-par per user. This would also minimize the possibility of deducting OP by recognizing common public keys.
Last but not least, we should also keep in mind that while we could avoid public disclosure of OIDC issuer, clients (apps) the user uses with that IDP would still gain that knowledge.
During AuthZ panel we discussed some scenarios where WebID Profile shouldn't disclose some specific OIDC issuers.
Those cases relate mostly to cases where certain security domain requires specific OP, but the user doesn't want to disclose in their WebID Profile any association with that security domain.
I think we have a few options here, one would recognize that in mentioned scenario RS associated AS already would know which IdP they can trust, so it wouldn't need to rely on OIDC Issuer discovery. In that case, we probably want to provide a way for OP to verify the user's control over the given WebID.
Another option would connect to a prior discussion about Self-issued OIDC #91 where WebID Profile could publish the trusted public key, without having to disclose the issuer. I would see it as an alternative, not a replacement to
solid:oidcIssuerthe issuer.In that case, OP couldn't rotate keys independently, I would consider recommending that OP creates dedicated key-par per user. This would also minimize the possibility of deducting OP by recognizing common public keys.
Last but not least, we should also keep in mind that while we could avoid public disclosure of OIDC issuer, clients (apps) the user uses with that IDP would still gain that knowledge.
/cc @matthieubosquet
The text was updated successfully, but these errors were encountered: