2021-04-26 Solid Authentication

# 2021-04-26 Solid Authentication https://meet.jit.si/solid-authentication ## Agenda * JSON-LD Context for client identifiers * Publication URL * Substance of [PR](https://github.com/solid/authentication-panel/pull/165) * OIDC and HTTPSig issues * [Multiple WWW-Authenticate headers](https://github.com/solid/authentication-panel/issues/163) * [Sending Access control rules in the body of 401?](https://github.com/solid/authentication-panel/issues/167) * [Syntax for Realm?](https://github.com/solid/authentication-panel/issues/166) * [PR on HTTPSig](https://github.com/solid/authentication-panel/pull/168) * Question: [HttpSig, Solid or Signature?](https://github.com/solid/authentication-panel/issues/155) * [consider support for OIDC self-issuer #11](https://github.com/solid/authentication-panel/issues/163) ## Present @elf-pavlik Justin Bingham Henry Story Aaron Coburn ## Minutes ### Discussing JSON-LD context PR Elf: not so clear of EricP's point. Perhaps he can make a new PR for that improvement? Aaron: will add that note to PR Aaron quickly explains for Justin the reasons for the PR, regarding having JSON literal inside of the RDF. Henry: the problem there was that it is "linked data" content that was in the rdf. In the case of HttpSig which now also has JSON embedded in the data, this is a literal JWK key that is embedded in it. Discussion on the vocabulary relating to consent screens. ### [Multiple WWW-Authenticate headers](https://github.com/solid/authentication-panel/issues/163) Henry: if resource server wants to allow both httpsig and solid-oidc it may be hard to combine it in single WWW-Authenticate header. Aaron: I don't see problems with multiple WWW-Authenticate headers. Problems may come if we try to use multiple Authorization headers. The questions that arise are: should the server verify all of the tokens or only some? Henry: I don't think this issue is crucial right now, but since we do have HttpSig and OIDC as well as Basic, it will pop up. So I thought it would be good to gather the things to think about someplace. ### [Sending Access control rules in the body of 401?](https://github.com/solid/authentication-panel/issues/167) Pavlik: I will make primer PR with accessing resource directly with a browser. It would put some requirements on what 401 response should include (edit: at least for `text/html`) Aaron: I would be careful about privacy with returning that information. Aaron: Back in the days during login site would respond with 'bad password' or 'unknown username'. Now they just reject and don't leak any information related to user accounts. Henry: yes, I am not too keen on putting ACL data in the body of a 401 for the reasons given above. Just thought it would be worth gathering those thoughts. ### [Syntax for Realm?](https://github.com/solid/authentication-panel/issues/166) Aaron: I would consider it archaic used mostly with Basic authentication. Most recent systems seem to ignore it. ...: When browser in basic auth displays the pop up, it would display realm string in that pop up as a description. Henry: thanks, yes I was not sure if there was a good way to use those. I'll ignore them for now. But happy to hear of some good use for them. ### [PR on HTTPSig](https://github.com/solid/authentication-panel/pull/168) Henry went over the changes gained from experience implementing HttpSig. He will finish the PR in the next day. ## Actions