OIDC Issuer discovery from WebID Profile

[elf-pavlik]

Search terms you've used

WebID

Impacted environment

In which environment would the proposed feature apply ?

• The browser
• Node.js
• Other (please specify): ...
• I'm not sure.

Feature suggestion

The library should be able to discover OIDC Issuer from WebID Profile this would be used in two places:

1. getWebidFromTokenPayload currently it only seems to verify JWT but not if OIDC Issuer is allowed for that WebID. The client can not rely on the fact that the user actually controls WebID without checking it. It seems that currently, the client can't consider a user to be authenticated as WebID without doing that additional verification.

2. Client could use the discovery feature directly to get a list of valid OIDC Issuers and let users select which one they want to use to authenticate.

Use Cases

In https://github.com/janeirodigital/sai-impl-service/ we want to authenticate users and verify their control over the WebID to create an instance of Authorization Agent associated with that WebID.

The front end also should support user entering their WebID, and if multiple OIDC issuers are discovered, prompt the user to select which one they would like to use.

[NSeydoux]

This is a feature we want to implement soon. I'll update this issue as it progresses.

[elf-pavlik]

I just wanted to check if there has been any progress on this feature.

[elf-pavlik]

Until the client verifies solid:oidcIssuer it can't consider the end-user authenticated.

I think you may consider adding a warning that the clients using this library can't rely on session.info.webId since the lib didn't verify that issuer of the ID Token is valid for that WebID.

If the client doesn't use session.info.webId anywhere it doesn't matter but some clients might want to rely on the user being authenticated with the client and currently, this seems to be a wrong assumption.

[NSeydoux]

There hasn't been progress on this yet, unfortunately we've had other features that took priority over this. In particular, there is a significant refactoring of the auth library we have been planning for a while now around the adoption of the pattern where the client doesn't assume the OP will return an Access Token. I'll make sure that if we don't get to it before, what you've described here is implemented as part of that refactoring.

[elf-pavlik]

This is really good news @NSeydoux

I think meanwhile you might still want to warn developers that if they want to use session.info.webId on the client, they have to verify the solid:oidcIssuer statement in the WebID profile themselves, otherwise they can not really trust that value.

It is pretty straightforward:

• fetching WebID
• parsing turtle
• matching triple pattern provided in Solid-OIDC spec
  • a match - valid
  • no matches - invalid

Possibly this could be reused https://github.com/CommunitySolidServer/access-token-verifier/blob/main/src/algorithm/retrieveWebidTrustedOidcIssuers.ts

EDIT: I created CommunitySolidServer/access-token-verifier#211 since DPoP also should be verified.