Comments (7)
The consensus from the 2019-10-21 Authentication panel meeting was:
- Yes, we should use the
WWW-Authenticate
response header as the designated mechanism for a Resource Server to communicate which authentication method that server is using. - The registry of supported methods should live in the top-level Solid spec. (With the understanding that the initial 1.0 spec version will support just one mechanism.)
from authentication-panel.
I think the question still remains (which I forgot to bring up in the meeting):
Which attribute of the WWW-Authenticate
header do we use to communicate the authentication mechanism a server is using?
Currently, Node Solid Server is using the scope
attribute, where scope="openid webid"
means "WebID-OIDC".
Are folks ok continuing to use that attribute?
from authentication-panel.
Well according to the Mozilla document on WWW-Authenticate,
WWW-Authenticate: <type> realm=<realm>
you use the type to specify the types of authentication methods allowed. They list an IANA registry of those.
My guess is that if the server wants to offer a number of different methods, it should send a number of WWW-Authenticate
headers. I am not sure where the scope
keyword comes from.
from authentication-panel.
WWW-Authenticate: Bearer scope="tls webid", realm="whatever"
is improper, because it has nothing to do with OAuth2-style bearer tokens. a different auth-scheme
should have been used for this case, like
WWW-Authenticate: WebID-TLS realm="whatever"
if we're going to document deprecated legacy behavior that was deployed, putting the Bearer scope="tls webid"
in a registry somewhere is fine and all, but if we wanted to be serious about WebID-TLS again, transitioning to a different auth-scheme would be more appropriate.
while we're at it, i've always had a problem with using the Bearer
auth-scheme for the current POPToken scheme, since POPTokens, being manufactured by the client instead of being issued to the client by the RS's authorization server (#1, #12), aren't in the spirit of OAuth2 bearer tokens (that is, they're as much a "bearer token" as the Base64(username ":" password)
of HTTP Basic Auth). in an ideal world, a different auth-scheme would have been used for this too, like
WWW-Authenticate: Solid-POPToken realm="whatever"
from authentication-panel.
@zenomt All good points. The scope="tls webid"
was just a historical solid-auth-client implementation note; not intending to carry it forward.
from authentication-panel.
i've always had a problem with using the Bearer auth-scheme for the current POPToken scheme
DPoP draft intends to register DPoP token type for Bearer authentication scheme
https://github.com/danielfett/draft-dpop/blob/master/mainmatter.md#oauth-access-token-type-registration
OAuth Access Token Type Registration
This specification registers the following access token type in the
OAuth Access Token Types registry defined in [RFC6749].
- Type name: "DPoP"
- Additional Token Endpoint Response Parameters: (none)
- HTTP Authentication Scheme(s): Bearer
- Change controller: IETF
- Specification document(s): [[ this specification ]]
Also in Justin's book I've noticed use of PoP
https://livebook.manning.com/book/oauth-2-in-action/chapter-15/36
HTTP POST /foo
Host: example.org
Authorization: PoP eyJhbGciOiJSUzI1NiJ9.eyJhdCI6ICI4dXloZ3Q2Nzg5MDQ5...
Not sure how those two registries supposed to work together
- https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
- https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-types
If we use authentication scheme in WWW-Authenticate
header, we can't really communicate token type. Possibly related to mentioned tendency to conflate authentication and authorization.
from authentication-panel.
@elf-pavlik Ahhh yeah, ok, you're right, the DPoP draft spec does specify using 'DPoP' as the Authentication scheme.
So then we'll use as a response header:
WWW-Authenticate: DPoP realm="<optional realm>" scope="openid webid"
to indicate that the RS supports the DPoP presentation mechanism.
from authentication-panel.
Related Issues (20)
- HttpSig and Nonces
- lost contributions in move of HttpSig doc HOT 3
- keyId's do not exactly refer to keys anymore HOT 4
- HttpSig, Signature, or Solid?
- Ontology for the KeyId document HOT 8
- support did-jwt ? HOT 8
- Clarify the behaviour if/when multiple oidcRegistrations are present HOT 1
- On phishing with a WebID HOT 14
- Multiple WWW-Authenticate and Authorization headers
- can `keyid` really hold a URL? HOT 2
- Should Solid specify a syntax for Realm? HOT 1
- sending access control rules to the client in 401 body? HOT 8
- Solid-OIDC Conformance Discovery - not supporting Solid-OIDC MUST NOT provide a value HOT 2
- security vocabulary definitions
- Should Solid-OIDC mention RFC 8707 OAuth 2.0 Resource Indicators ? HOT 6
- Find ways of engaging more with the community HOT 6
- Document reference implementations and supported features HOT 2
- OIDC Registration required for OP? HOT 2
- OIDC primer: distinguish roles more clearly in text
- Require `Accept-Signature` header for server response
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authentication-panel.