Allow the WebID and OIDC providers to reside on different domains

[RubenVerborgh]

Right now, OIDC providers can only authenticate users on their own domain.

However, the WebID resource could explicitly indicated trusted OIDC domains or providers. For example, then I'd be able to authenticate as https://ruben.verborgh.org/profile/#me from https://drive.verborgh.org/ with OIDC. (Right now, I can only do that via WebID+TLS.)

[elf-pavlik]

Searching for 'OpenID Connect delegation', I've found this StackOverflow answer https://stackoverflow.com/a/28022632 which links to http://openid.net/specs/openid-connect-discovery-1_0.html#URLSyntax

Would something like below work?

https://ruben.verborgh.org/profile/#me
  http://openid.net/specs/connect/1.0/issuer https://drive.verborgh.org/ .

[dmitrizagidulin]

great find, @elf-pavlik , re http://openid.net/specs/connect/1.0/issuer rel!

[dmitrizagidulin]

@elf-pavlik After some discussion with @timbl, we decided not to go with http://openid.net/specs/connect/1.0/issuer, use solid:oidcIssuer instead:

<https://ruben.verborgh.org/profile/#me>
  <http://www.w3.org/ns/solid/terms#oidcIssuer> <https://drive.verborgh.org> .

[dmitrizagidulin]

I suppose we can add some sort of rdfs/owl equivalence to the specs issuer link, but I'm not familiar enough with ontologies to do that. Feel free to make an addition to solid/vocab#23, though.

[RubenVerborgh]

Depends on the semantics. Are they equivalent? Or is solid:oidcIssuer something more specific?

[dmitrizagidulin]

You're right, I suppose solid:oidcIssuer is more specific; it denotes that the server supports the WebID-OIDC protocol specifically.

[RubenVerborgh]

Done: solid/vocab@c70a6c4

[dmitrizagidulin]

Nice!