W3C Solid Community Group: Authentication Panel

# W3C Solid Community Group: Authentication Panel * Date: 2022-05-23T14:00:00Z * Call: https://meet.jit.si/solid-authentication * Chat: https://gitter.im/solid/authentication-panel * Repository: https://github.com/solid/authentication-panel ## Present * Aaron Coburn * elf Pavlik * --- ## Announcements ### Meeting Recordings and Transcripts * No audio or video recording, or automated transcripts without consent. Meetings are transcribed and made public. If consent is withheld by anyone, recording/retention must not occur. * Use panel chat and repository. Queue in call to talk. ### Participation and Code of Conduct * [Join the W3C Solid Community Group](https://www.w3.org/community/solid/join), [W3C Account Request](http://www.w3.org/accounts/request), [W3C Community Contributor License Agreement](https://www.w3.org/community/about/agreements/cla/) * [Solid Code of Conduct](https://github.com/solid/process/blob/master/code-of-conduct.md), [Positive Work Environment at W3C: Code of Ethics and Professional Conduct](https://github.com/solid/process/blob/master/code-of-conduct.md) * If this is your first time, welcome! please introduce yourself. ### Scribes * --- ## Agenda ### Open PRs https://github.com/solid/solid-oidc/pulls * [primer: use correct token in request flow (steps 7 & 8) #170](https://github.com/solid/solid-oidc/pull/170) ✅ * [make webid scope required for DCR #171](https://github.com/solid/solid-oidc/pull/171) ### Issues https://github.com/solid/solid-oidc/issues * [Autoexpiry of DCR-registered clients #167](https://github.com/solid/solid-oidc/issues/167) ## Minutes ### Require "webid" scope for OIDC Dynamic Client Registration #168 * AC: Should webid be a must? Let's say you initiate DCR and specify that you want scopes `openid email`. Later on you want to use `client_id` and `client_secret` want to use an additional scope. I think it would give an invalid scope. * eP: We only talk about making it must on the client, so Solid App since we do it in Solid-OIDC spec. * AC: that makes sense ### Autoexpiry of DCR-registered clients * AC: response has `client_secret_expires_at`, a time when it will expire or `0` if it doesn't expire. Server has to present this value in the reponse. * eP: Isn't DCR an ephemeral client? * AC: For me any DCR client is ephemeral. I would like to in general discourage use of ephemeral clients. * eP: Are there other clients that are not DCR clients that we would consider ephemeral? * AC: I don't think so * eP: will respond to the issue and will change working to explicitly call DCR clients as ephemeral clients Next meeting will be in two weeks: 2022-06-06