You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
oidc-auth-manager will have inconsistent/non-deterministic behavior if a webid lists multiple solid:oidcIssuer triples.
a webid should be allowed to list multiple issuers. potential use cases:
a user might want to use their webid with a publicly accessible provider as well as a private network ("intranet" / homenet / enterprise) provider;
a user might want to use a normal OpenID provider and the Self-Issued OpenID Provider or static openid-configuration/jwks files, to allow for ordinary web browser access as well as command-line tool access;
a user might be transitioning from one provider to another and need a period of overlap;
because why not? :)
the logic right now appears to be "find the provider and compare it against the iss claim in the id_token". this can fail if there's more than one provider, depending on which of the providers is selected by anyValue().
the logic should be "confirm that the iss is an approved provider according to the user" as that is more general and tracks the user's preference and intent.
one potential issue with changing this behavior is that the comment for http://www.w3.org/ns/solid/terms#oidcIssuer is "The preferred OpenID Connect issuer URI for a given Web ID". either this comment should be changed to reflect the possibility of multiple issuers (for example, "An approved OpenID Connect issuer URI for a given Web ID"), or a different predicate should be used (perhaps http://openid.net/specs/connect/1.0/issuer?). this is also a webid-oidc-spec issue.
The text was updated successfully, but these errors were encountered:
oidc-auth-manager will have inconsistent/non-deterministic behavior if a webid lists multiple
solid:oidcIssuertriples.a webid should be allowed to list multiple issuers. potential use cases:
the logic right now appears to be "find the provider and compare it against the
issclaim in the id_token". this can fail if there's more than one provider, depending on which of the providers is selected byanyValue().the logic should be "confirm that the
issis an approved provider according to the user" as that is more general and tracks the user's preference and intent.one potential issue with changing this behavior is that the comment for http://www.w3.org/ns/solid/terms#oidcIssuer is "The preferred OpenID Connect issuer URI for a given Web ID". either this comment should be changed to reflect the possibility of multiple issuers (for example, "An approved OpenID Connect issuer URI for a given Web ID"), or a different predicate should be used (perhaps http://openid.net/specs/connect/1.0/issuer?). this is also a webid-oidc-spec issue.
The text was updated successfully, but these errors were encountered: