HackMD - Collaborative Markdown Knowledge Base

## 2020-06-29 Authentication Panel ## Agenda * Missing PR * Archiving Dmitri's draft * [Proposal: Standardize the WebId's content as only auth-specific #48](https://github.com/solid/authentication-panel/issues/48) * [Next week agenda](https://hackmd.io/3TVp_pPWR3u_z339Ox22gg) ## Present * Dmitri Zagidulin * Aaron Coburn * Jackson Morgan * elf Pavlik * Justin Bingham * Ricky White * Adam Migus ## Minutes ### Missing PR - Ricky: We discussed release progress with Inrupt. We were unhappy to make it public. We will have meeting with Inrupt to work on fixing it. - Adam: As of now, the document is inconsistent. Releasing it to the panel is releasing it publicly. - ...: Protocol is inconsistent. We discussed single RS use case vs mutli RS use case. We see everything as multi RS use case. When you deal with multi RS, protocol breaks down. You need to ask every RS which clames they need. Client needs to get token for each RS. - Justin: The whole reason the spec exists is to cover the multi RS use case. If you have a lot of RS, the possible performance issue is more general for decentralized scenarios. - Adam: Fact that you need to make multiple trips is in a way implementation detail. Still if it performs to poorly it will not help adoption. - Adam: The issue of draft is only for this week. We will have meeting to resolve it today in the afternoon. - Aaron: The potential performance panelty can be better evaluated if we have actual performance metrics. This way we can see if it will be noticable to the user and have more fruitful conversations. - Adam: Can you provide that? - Aaron: I could write something to figure it out. - Jackson: We are going to see the draft soon. Than we should have reference implemnations and after that official approval. - Adam: We should decide on draft this afternoon and hopefuly have it out this week. Within weeks we will have second draft. After that we will accept feedback over github and work on the final draft. For final draft we will need to change it to format W3C spec requires. - Jackson: We still need reference implementations. - Pavlik: W3C has clear stages in spec writing https://www.w3.org/2019/Process-20190301/#Reports - Adam: We were hired to write the draft but not neccessary shepard it through the whole REC process. - Ricky: Our final document will give you First Public Working Draft (W3C). - Adam: If something is another spec we delegate to that. We want to include only necessary minimum in this spec. ### [Proposal: Standardize the WebId's content as only auth-specific #48](https://github.com/solid/authentication-panel/issues/48) - Jackson: I haven't see the draft yet. I think contents of WebID Profile need to be clarified. What WebID Profile needs to look like at minimum. The vocab is the same as in curent WebID-TLS draft. I only add couple of RDF clases. We also should keep in mind that not all WebID denote people. - ...: In the old spec we have OIDC Issuer discoverable in HTTP header. I think we should only discover it in the profile document. - Adam: In the draft we just reference external spec about WebID. - Jackson: In current draft we don't require anything from WebID Profile. - Pavlik: We should stay clear that we discuss representation and content of the WebID Document (Profile) - Jackson: WebID Document hast to reference the OIDC Issuer (provider). Currently we have two ways 1. in the profile document 2. in the HTTP header - ...: Without that any issuer can claim that it can issue tokens for any WebID. - Adam: It makes sense. We can articulate it in the spec. - Ricky: We have it covered in the draft > The `sub` claim of the Access Token SHOULD be a WebID. This needs to be dereferenced and checked against the `iss` claim in the Access Token. If the `iss` claim is different from the domain of the WebID, then the RS MUST check the WebID document for a `solid:iodcIssuer` property to check the token issuer is listed. This prevents a malicious identity provider from issuing valid Access Tokens for arbitrary WebIDs. - Jackson: I think we still need RDF class. Why sub claim is SHOULD not MUST. - Adam: We should change it to MUST. - Adam: We only need to define what for this authentication protocol needs to be present in WebID Document. - Jackson: It doesn't talk about mechanism how RS would verify that WebID is what the token claims. - ...: In NSS when storage server receives token, it will go fetch WebID and verify oidc issuer. - Adam: We didn't specify anything about resolution mechanism. - Justin: There is a lot beyond authentication in what goes into WebID Document. This spec should only define what this auth protocol requires. - Pavlik: Should we mention that WebID draft makes `text/turtle` a MUST representation? - Adam: I don't see a reason to include representations in spec. ## Actions Aaron: To write benchmark for requestion one token per RS