Comments (3)
Regarding aspect of Client authenticating to Resource Server. Depending on which identifier RS needs to authenticate we seem to have different reliance on Authorization Server. If client only needs to identify client by the key it holds and to which the token stays bound, RS can directly verify possession of that key. If we rely on some identifier like redirect_uri
, RS can't directly verify it and needs to rely on Authorization Server using it in Authorization Code grant.
Requirement on which identity client has to prove to Resource Server also seems related to outcomes of Authentication panel. If access token includes (by value or reference) all the client authorization information that Resource Server should apply to the client using that access token, we can think of those authorization as 'semantic scopes', Resource Server doesn't need to verify any other client identity and use it to discover authorization details it should apply to the client.
from authentication-panel.
If we rely on some identifier like redirect_uri, RS can't directly verify it and needs to rely on Authorization Server using it in Authorization Code grant.
Unless the RS requires a token that it issues itself. As you mentioned in today's panels, that could be an option in the rare case that the RS wants to identify the client.
from authentication-panel.
Yes, precisely some AS would still issue the token and RS would need to rely on that AS verifying redirect_url
, just it would be AS designated by a user with acl:Control
and not one associated with any other user with some other mode of access.
from authentication-panel.
Related Issues (20)
- HttpSig and Nonces
- lost contributions in move of HttpSig doc HOT 3
- keyId's do not exactly refer to keys anymore HOT 4
- HttpSig, Signature, or Solid?
- Ontology for the KeyId document HOT 8
- support did-jwt ? HOT 8
- Clarify the behaviour if/when multiple oidcRegistrations are present HOT 1
- On phishing with a WebID HOT 14
- Multiple WWW-Authenticate and Authorization headers
- can `keyid` really hold a URL? HOT 2
- Should Solid specify a syntax for Realm? HOT 1
- sending access control rules to the client in 401 body? HOT 8
- Solid-OIDC Conformance Discovery - not supporting Solid-OIDC MUST NOT provide a value HOT 2
- security vocabulary definitions
- Use HTTP-Signature instead of WebID-RSA HOT 13
- Should Solid-OIDC mention RFC 8707 OAuth 2.0 Resource Indicators ? HOT 6
- Find ways of engaging more with the community HOT 6
- Document reference implementations and supported features HOT 2
- OIDC Registration required for OP? HOT 2
- OIDC primer: distinguish roles more clearly in text
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authentication-panel.