Right now, the server supports two different auth modes, confusingly named auth: "tls" and auth: "oidc", even though that doesn't cover exactly what they do. The main problem is that this one setting gives the impression that both methods are mutually exclusive, whereas they are not.
Discussions such as #667, #671, https://github.com/solid/solid-auth-client/issues/44, https://github.com/solid/solid/issues/138, https://github.com/solid/oidc-auth-manager/issues/20 show that there is a need for more clarity, and a better configuration option.
This issue tracks general progress and will act as a tracker for multiple sub-issues.
Here are the steps we need to take in my opinion:
init generator to create the right configauth config sectionFeedback welcome.
I see that currently those 3 mechanisms allow authenticated requests:
Few questions come to my mind:
Remark by @timbl that we should differentiate between AJAX requests and regular browser requests. For the latter, cookie-based sessions are very useful.
I understand that we can rely on bearer token only when we make requests with Fetch API in javascript. Regular browser requests only support client certificates and cookies.
I think in most scenarios RDF Sources would get requested with Fetch API, but Non-RDF Sources which IRIs get used directly as values of src attribute in HTML elements would end up as regular requests.
In that case, WebID-TLS could trigger cert selection popup if media resource embedded in the page requires it. How WebID-OICD supposed to handle those cases if browser doesn't have active cookie session with the origin of that embedded media resource?
I'd also like to check if Service Worker can intercept regular browser requests for media resources and give control back to developer over how requests are performed, possibly also to include bearer token or request Federated Credential https://github.com/solid/solid/issues/142 if needed for WebID-OICD flow.
How WebID-OICD supposed to handle those cases if browser doesn't have active cookie session with the origin of that embedded media resource?
We'd need some scripting to detect this and help us with that.
I'd also like to check if Service Worker can intercept regular browser requests for media resources
That might be possible to a certain extent! I am interested in porting solid-auth-client to a worker, so I can run it in the background (as we currently do for our query client, for instance).
We'd need some scripting to detect this and help us with that.
I started separated issue to discuss Service Workers including possibility of using them in such scenarios. https://github.com/solid/solid/issues/143
https://github.com/solid/solid/issues/142#issuecomment-388639226
@dmitrizagidulin But no session is created (and no cookie is generated) when the RP makes a request to some third Resource Server. So, when I sign into a distributed Twitter type app which fetches messages from a dozen different resource servers, I only have a session with my WebID's IDP, and the app itself. But not with any of those resource servers.
Based on above, server not acting as IdP (OICD Issuer) would never use cookies. Given that, I think for general role of Resource Server (dataset origin) we should never rely on cookie based sessions and for authenticated request only use:
This way it would not matter if client interacts with datasets on same origin as user's IdP or datasets on all other origins.
Thanks for putting this together!
Will there also be a sub issue related to the initialization of a server for the first time. ie running
bin/solid init
Possibly some of this will change too. Is it covered in an existing sub issue?
@melvincarvalho Added to the list above
The proposed changes sound quite large and intrusive, are they? Is this something we should aim for 5.0.0, or is it rather something that should be addressed in a later release where they can be first addressed at an architectural level?
Let's aim for 6.0.0 (it's not assigned to 5.0.0).
Reading through the initial summary, is part of the thinking to make the configuration extensible so that an admin could pass their own OIDC provider into the ResourceAuthenticator initialization such that tokens from 3rd parties could be accepted as valid?
Most helpful comment
@melvincarvalho Added to the list above