2020-08-03 Authentication Panel

# 2020-08-03 Authentication Panel ## Agenda * [Add Detail to the "Basic Flow" Issue #55](https://github.com/solid/authentication-panel/issues/55) * [DPoP Validation #49](https://github.com/solid/authentication-panel/issues/49) * [Validating the Access Token #50](https://github.com/solid/authentication-panel/issues/50) * Acknowledgments Section * Dynamic registration concerns (inc refresh flow) * [Next week agenda](https://hackmd.io/DQtI8XCRSOi-qgLJV40tBg) ## Present * Davi * Ricky * Pavlik * Aaron * Henry * Jackson * Justin * Sarven ## Minutes ### [Add Detail to the "Basic Flow" Issue #55](https://github.com/solid/authentication-panel/issues/55) - Ricky: I plan to create diagram but first want to check with Jackson if he has some specific requrements. - Pavlik: I think we need to specify WWW-Authenticate parameters in 401 response - Ricky: If we want to be specific we will need to register a scheme with IANA, can we piggiback on existing scheme. - Aaron: My understanding of WWW-Authenticate parameters gives a lot of flexibility in what can be used. I understand them as hints to the client, will reread the spec to verify. - Ricky: This section just warms the reader up for next parts of the spec. Basic flow section should just give a high level overview. - Jackson: I think it makes sense. Let's wait for the diagram which you plan to include. ### [DPoP Validation #49](https://github.com/solid/authentication-panel/issues/49) - Ricky: - Pavlik: I would suggest to just remove that sentence - Aaron: I would suggest first sentence (delegate to DPoP spec) as normative and the second sentence as non-normative. ### [Validating the Access Token #50](https://github.com/solid/authentication-panel/issues/50) - Pavlik: I think we need to emhasise difference between DPoP Proof signed by the client vs DPoP-bound Access Token (JWT) signed by IdP. - Aaron: DPoP is self contained, it includes public key which should be used to verify proof. It doesn't require dereferencing any keys. - Pavlik: I would only specify how to verify signature on JWT made by IdP. - Aaron: We should clarify that if token is bound with DPoP the DPoP validation MUST be performed - Aaron: To verify JWT signature you need to know public key used to sign it. ### Acknowledgments Section - Ricky: I look for you guidence on it. Where do I find list of names to include? - Sarven: Usually up to the editors. Reading from issues, meetings/chats pickup all names to acknowledge (pretty liberal) - Ricky: We can make PR for that section and make commits to that branch ### Dynamic registration concerns (inc refresh flow) https://github.com/solid/authentication-panel/issues/56 - Jackson: I was proposing to just leave dynamic registration as required. - Aaron: I'm using static registration as well. - Jackson: I meant to require registration (dynamic or static), current draft makes any registration optional. - Aaron: If OIDC requires it we can't change it to optional. - Ricky: In Solid IdP may be created which doesn't require dynamic registration. - Aaron: You need client_id - Jackson: NSS treats redirect_uri as client_id and doesn't require dynamic registration. - Aaron: Any optional behaviour should be discoverable - Jackson: If we make registration optional all together we hit issue of not having client_id -