Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Solid-OIDC v0.1.0 (with UMA AS) #3181

Open
3 tasks done
elf-pavlik opened this issue Oct 12, 2023 · 5 comments
Open
3 tasks done

Support for Solid-OIDC v0.1.0 (with UMA AS) #3181

elf-pavlik opened this issue Oct 12, 2023 · 5 comments

Comments

@elf-pavlik
Copy link

Search terms you've used

UMA, as_uri, claim_token

Impacted environment

In which environment would the proposed feature apply ?

  • The browser
  • Node.js
  • Other (please specify): ...

Any environment which the library wants to support: Dyno, Bun etc.

Feature suggestion

Support for https://solidproject.org/TR/oidc (published on 2022-03-28)

Expected functionality/enhancement

Client should use DPoP bound ID token and push it as a claim to UMA AS.
Access tokens shouldn't cross security domains and only be used with RS which advertised the AS with as_uri

Actual functionality/enhancement

Use Cases

There is an open source Keycloack extension coming which conforms to the published Solid-OIDC draft
https://github.com/CarrettiPro/keycloak-solid

Preferably this client should be able to work with it.
@NSeydoux
Copy link
Contributor

Hi @elf-pavlik, thanks for reaching out. This is indeed a planned improvement of this library, for which the timing still hasn't been determined.

@elf-pavlik elf-pavlik mentioned this issue Oct 12, 2023
Open
7 tasks
@elf-pavlik
Copy link
Author

Hi @NSeydoux. I'm hoping to bring up the broader issue of implementations for Solid-OIDC v0.1.0 during next week's Solid CG meetings. If someone will step up to contribute this update and/or secure funding for that work. Should they know about any prior design work or just assume that they will need to PR it starting from the main branch? I believe this issue could be used to have initial discussion about planned design.

@damooo damooo mentioned this issue Oct 12, 2023
Open
@damooo
Copy link

damooo commented Oct 12, 2023

Also please note that, clients currently doesn't send dpop bound ath claim in dpop proof. Current dpop protocol requires it.

See the issue manomayam/manas#27 for other client side idiosynchronies.

@NSeydoux
Copy link
Contributor

There has been some prior work indeed: the intent is for this library to implement a so-called Reactive Authentication pattern, an instance of which is already implemented in https://github.com/inrupt/solid-client-java. At a high level, this means instead of preemptively sending the global access token, an authenticated session would hold on to credentials (including but not limited to the ID Token), and go through the UMA flow to dynamically negotiate with the Authorization Server which credentials should be used as claim tokens to get access to the target Resource.

I am happy to get into more details if someone is interested to contribute, but I have to say, I anticipate this to be a significant undertaking that involves a lot of internal refactoring of the library.

@NSeydoux NSeydoux mentioned this issue Oct 13, 2023
Open
5 tasks
@lecoqlibre
Copy link

Any news on this?

It would be great that this library supports Solid-OIDC v0.1.0!

So we could build apps that follow the current spec :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@elf-pavlik @lecoqlibre @NSeydoux @damooo