You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Apr 13, 2022. It is now read-only.
Copy file name to clipboardExpand all lines: README.md
+21-1Lines changed: 21 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,7 +43,7 @@ See also: [Motivation for WebID-OIDC](motivation.md).
43
43
### Benefits and Capabilities
44
44
45
45
* Fully decentralized cross-domain authentication (any peer node can serve as
46
-
an identity provider as well as a relying party to any other node)
46
+
an identity provider as well as a relying party to any other node) made possible by [PoP Tokens](https://tools.ietf.org/html/rfc7800).
47
47
* Builds on decades of real-world authentication industry experience
48
48
* Incorporates lessons from, and fixes to threat models of: SAML, OpenID and
49
49
OpenID 2, OAuth and OAuth 2. See, for example, [RFC 6819 - OAuth 2.0 Threat
@@ -99,6 +99,8 @@ WebID-OIDC makes the following changes to the base OpenID Connect protocol
99
99
* Specifies the [Authorized OIDC Issuer
100
100
Discovery](#authorized-oidc-issuer-discovery) process (used as part of
101
101
Provider Confirmation, and during Provider Selection steps).
102
+
* Utilizes [PoP tokens](https://tools.ietf.org/html/rfc7800) to securely
103
+
query a wide array of resource providers.
102
104
103
105
It's also worth mentioning that while traditional OpenID Connect use cases are
104
106
concerned with retrieving user-related claims from [UserInfo
@@ -304,6 +306,24 @@ that profile, she would add the following triple to her profile:
304
306
<#me> solid:oidcIssuer <https://provider.com> .
305
307
```
306
308
309
+
## Securing tokens for multiple resource providers
310
+
311
+
#### The Problem
312
+
313
+
Unlike standard implementations of OIDC, WebID-OIDC must deal with a number of RPs many of which the OP will not know about. OIDC defines the `aud` claim which defines the RPs for which a token can be used.
314
+
315
+
However, given Solid's use case, a token should be usable for any RP so the user may federate a query across multiple Pods, so the `aud`ience cannot be constrained. Yet, an unconstrained `aud`ience opens up the possibility of token stealing. In this case, a user sends a request to `evilPod.example`. The Pod returns the requested information, but now has the user's token and may pretend to be the user on any other Pod in the world.
316
+
317
+
#### The Solution
318
+
319
+
The solution employs [Proof of Possession (PoP) tokens](https://tools.ietf.org/html/rfc7800) changing the way the Bearer token is constructed:
320
+
321
+
1. A client application generates a public and private key.
322
+
2. The client generates a request `JWT` just as it would under normal OIDC with the addition of a `key` field containing the public key.
323
+
3. Authentication proceeds normally and yeilds a signed `id_token` where the `aud`ience is the client application (represented by the `origin` of the provided `redirect_uri`) and an additional field `cnf` is provided containing the client's public key.
324
+
4. Before sending requests to any RPs, the client generates a new signed JWT PoP token containing the RP's uri as the `aud`ience and an `id_token` feild containing the `id_token` provided by the OP.
325
+
5. When an RP receives the PoP token, it MUST reject any tokens containing a mismatched audience or a signature that is not associated with the public key in the `cnf` claim.
326
+
307
327
## Detailed Sign In Workflow Example
308
328
309
329
To walk through a more detailed example for WebID-OIDC login, refer to the
0 commit comments