-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inconsistency in identifiers for apps: WebIDs and ClientIDs #463
Comments
There is a related issue in Solid-OIDC solid/solid-oidc#95 My preference would be to just provide
I don't think there was ever an intention to have two different documents. Solid-OIDC started with clients simply using WebIDs. Which later were replaced with ClientID and ClientID Document terminology. Duplicate predicates in the |
Agree with picking one - no strong opinion on which - more important to just have one that's definitive. |
Agreed. The EDIT: I'm not sure picking one vocabulary is a good thing here. Interop vocab should indicate data (e.g. labels) useable by Apps/Agents following that spec; Solid-OIDC vocab is meant to indicate data necessary for (Solid) OIDC flows to work. By having both live together in one document, we provide a stable foundation for Interop operations, while also allowing App developpers to switch out (or add) authentication methods. |
On the most urgent matter of the WebID/ClientID Document format, we have a few options:
Personally, I don't have a strong preference. A consideration in favour of Turtle could be that it seems to be somewhat of a standard in many specs and existing applications. On the other hand, keeping JSON-LD as the default keeps up the hope of becoming compatible with OIDC (e.g. with it's Federation's Entity Statements). |
To keep specs orthogonal, I think this should remain this way. As long as they say that RDF MUST be returned, any standard RDF serialization should do. See also this long thread on mandatory versus recommended RDF serializations in the WebID CG: w3c/WebID#3 |
It is important not to conflate things. Firstly, WebIDs can and are used to identify applications. Applications that use this mechanism will also need to be capable of managing private keys and issuing access tokens. In other words, these applications do not use the OAuth2 Second, for applications that do use the Either way, in order to work with OAuth2 and OpenID Connect, the Solid-OIDC specification uses a particular form of compact JSON-LD. This allows the Solid-OIDC specification to make use of and align with the OIDC Dynamic Registration specification. The use of a JSON flavor for serializing this document is unlikely to change. The use of JSON-LD was a compromise in order to fit both the Solid and the OpenID models, but leaving JSON altogether would break conformance with OpenID Connect: and adopting the WebID terminology for that does precisely this. There is some discussion of changing the document format of Client Identifiers to align with the draft OpenID Federation specification, but that would be JSON, not even JSON-LD and certainly not Turtle. Expecting the document format of OpenID application registrations to move away from JSON is mistaken, at least if we plan to continue to use OpenID Connect. Because of the requirements of the WebID draft specification, it is not possible to call these Client Identifier URIs "WebIDs". And requiring these documents to be a non-JSON format conflicts with OpenID. It is also important to note that there are many types of identifiers. WebIDs are one such type. Solid does, in fact, build significantly on WebIDs, but at no point does the Solid Protocol specification state that WebIDs are the only identifier that can be used for agents and applications. Some people in Solid are already using DIDs. While I can appreciate that having multiple types of identifiers can introduce complexity, this is a feature not a bug of decentralized ecosystems. It is also a feature of an ecosystem that looks to the future. |
FYI in solid/solid-oidc#95 (comment) I'm bringing up the possibility to use
Solid Application Interoperability introduces a base of an authorization system that allows end-user to authorize applications.
IMO we can denote both the end-user and the application (client) with WebID or DID or something else. We should be more careful not to use the term WebID without a context of what it denotes. I think we need to organize all the requirements discussed here and look for proposals that take all of them into account. The mentioned separation between |
I think I'm missing some background. It would help me if you could be a bit more precise in your statement I've quoted above so I can have an answer on the following questions:
|
I agree with this point. Be that as it may, let me rephrase my concern: If both specs would allow any RDF serialisation, there wouldn't be a problem ;-) |
This seems like a very strong statement without real references or examples. Could you give some examples of decentralised ecosystems in which a plethora of different identifiers have helped their growth? Awaiting your response, I can give some counter examples of your statement:
You've provided a link to a draft document about DIDs in Solid while I actually expected a link to a list of people that already used Solid with DIDs... To the best of my knowledge, no one actually uses Solid with DIDs in a production environment, but I hope that you can give me a counter example :-) (Also, can we please stay on topic? This discussion is about using two identifiers of the same type, i.e. HTTP URIs for a concept that is - on first sight - semantically equivalent. You are talking about using two different types of identifiers - DIDs and HTTP URIs.) |
That's a problem indeed (related to #454). I just created #465 to tackle this specific problem. |
Anyhow, if we would decide against to use one identifier for an app, it would help if we could include a reference to the other in each of the documents. By that I mean that:
By doing this, we would know, for example, based on the WebID of an app, which redirect URIs are permitted. |
Thanks for the short recap for people who want to follow, but I don't see where we are conflating things.
WebIDs can indeed be used for that purpose; we do so ourselves. However, I see no reason why WebID-identified applications could not use the
You are right in pointing out the obvious distinction between the (social) agent using the client and the agent that is the client itself. However, I don't see why both could not be identified by (different) WebIDs. Again, the client is an agent that needs to be identified, and about which we want to declare some statements in a profile document.
I'm not sure why you are holding that against us. It is exactly this problem we want to raise once more, as you did so yourself a year ago in w3c/WebID#3 (before that issue sidetracked in a too general discussion about serialisations). If we presume that an application needs [A] an identifier that dereferences to a profile document containing Interop data, and [B] an identifier that dereferences to a document containing OIDC data, then why on earth would we have to create two different URI's pointing towards two different resources? (And likewise with any two other ID documents.) This holds even stronger when we realise that a lot of the information in both needs to be the same. Stubbornly keeping a specification that makes it more complex for developers is a bad practice, everybody knows that.
Definitely true, and rightly so. Now let's learn a bit about orthogonality from the DID's take on representations, and kick those default obligations out of the WebID and DID:Solid specs! It isn't even hard; it's not like we're asking anyone to give up their preferred syntaxes. Just don't demand them on default requests:
For clarity we can then possibly add:
|
In solid/solid-oidc#199 and solid/solid-oidc#95 (comment) we discuss aligning the OIDC specific parts with example of Metadata with RP's Entity Configuration from OpenID Connect Federation 1.0 - draft 22 If we do that, having two different IRI to identify the application in two different contexts might actually help us to meet different requirements of those two different contexts:
While we are at it we could also adjust claim in the ID Token to have matching |
Just a kind reminder for the editors (i.e. @timbl @justinwb @dmitrizagidulin @kjetilk @csarven and @RubenVerborgh) that we keep running into this issue. It would be great if this issue could have some more visibility so that we can come to a decision. |
Leading up to 0.9, we operated with milestones and project boards and a process to nominate and get issues on the board. Since I left Inrupt, I have not had the capacity to be a driving force for keeping the process going, but I believe we need to have that kind of structure and probably stick more closely to it too. At least, we can tag it. |
@acoburn what do you think about my suggestion above #463 (comment) |
@elf-pavlik, personally I'm not a big fan of putting claims under a 'solid' object. Also, if we use the federation entity statements, the clientid can just remain the app's WebID (which is what Tom is advocating for). I therefore think that this issue would be solved without further adjustments, when we make that step. |
Some considerations in light of the discussion during the CG Weekly. About the issueThere seems to be a huge amount of misunderstanding in this discussion, exemplified by the following statement.
This is true, but it is besides the question. This issue is NOT about the WebID of the person using an app versus the ClientID of the app itself. It is about the WebID of the app versus the ClientID of the app. Both are identifiers of the very same entity (the app), so the question whether or not these can be the same IRI is completely justified. The above is a theoretical, semantic question, of course, but @tomhgmns brings up a good practical consequence: if an app's WebID is different from its ClientID, a request containing a token with the WebID of the person using an app end the ClientID of the app itself (e.g. as in Solid-OIDC) cannot be used to retrieve data from the app's WebID Document (e.g. as in SAI). About solutionWe could indeed mandate mutual references in each document, as proposed by @elf-pavlik, but this seems just a hack when we're actually talking about the same entity. In the same line, we could put every piece of data from different specs in different resources, and let them all point to one another. A more interesting option becomes available in the light of integration with OIDC Federation. @acoburn says the following:
While I gladly agree with the perspective this brings, I believe the conclusion here (my emphasis) is misguided. In the context of OIDC Federation Entity Discovery with Automatic Registration, which is what will subsume the current OIDC Dynamic Client Registration flow, the Client ID of an app will be its Entity Identifier (a globally unique URI). Such a URI has no specific restrictions except that the Entity Configuration (a self-issued Entity Statement) must be available at that URI's We can thus perfectly envision an app with WebID / Entity Identifier / ClientID |
Also there are semantic differences between client-id and webid of an app.
Where as |
Also one single app with name
Thus one app with a single literal-name/uri-name(web-id) can have multiple contracts with multiple providers, and thus multiple contractual identifiers. One-to-Many. |
@elf-pavlik I very much agree with #463 (comment) I would also emphasize that, given that we are using the OpenID Connect framework for authentication, there are several distinct conceptual entities:
In this context, the Relying Party is identified with a What is being discussed here is merging these two roles into a single role where the End User and the Relying Party are the same logical entity and are identified with a single URI. It is possible to conflate these two roles into a single URI (and it is entirely possible to do this today in the context of the current Solid-OIDC specification), but this is not something I would recommend. These are distinct roles, and as such, I would highly recommend identifying those roles as independent entities. |
I think this is part of the misunderstanding. The discussion is only about URI(s) denoting the application/client, this discussion doesn't involve at all separate URI which denotes the End User. |
Perhaps a bit of logic can help. A WebID identifies an Agent. It can identify a Person, in which case we expect the triple <#i> a foaf:Person . to appear inside the Personal Profile Document. The type A WebID can identify a software instance in which case we should have a URL for the class of Apps, and the following triple inside the App document. <#myCal> a solid:App where solid:App rdfs:subClassOf foaf:Agent If one were to have an ISBN for an App then it should probably be a subclass of Following that thinking we see that both sides of the argument are right:
|
To me, it seems that there are two reasonable solutions here, using the various specifications in their current form:
|
In today's meeting @woutermont made an interesting point that in the gov case they were working on they found the distinction between the Agent ID and the App Id to be unecessary. Would that mean that they want something like this: <#x> a foaf:Person, solid:App . I.e. an identifier that both refers to a Person and an solid App? That seems a bit weird, mostly because people have different identity criteria to apps. Apps have versions, change over time, are tested, can be shipped over the internet in binary form, ... |
@RubenVerborgh, we're only going in circles because people get stuck on the same misinterpretation of this issue as @acoburn and @bblfish, which both I and @elf-pavlik have tried to clear up: we do NOT want to say that a Person is an App. We are talking about assigning an App a WebID (cf. SAI) and a ClientID (cf. Solid-OIDC), and whether these two IDs can be the same URI. The "issue" to me is semantic of nature, even though it has clearly presented practical effects: we cannot discover the one IRI via the other. "Tackling it" means: resolving the semantic friction and making that discovery possible. To answer to @damooo, who is the only one who seems to have understood the core of the issue: a WebID and a ClientID (in the Solid-OIDC or OpenID Federation sense) are both globally unique identifiers. A WebID has semantics in the context of the WebID spec, a ClientID has semantics in the context of the (Solid-)OIDC (Federation) spec. Those respective semantics are:
These semantics are not incompatible; it is perfectly possible to have a 'ClientWebID': "a HTTP URI that is globally unique, that is bound to one Entity, which refers to an Agent and dereferences to a document describing the Agent." An Identifier adhering to that description would have meaning in both specs. Since in reality there is only a single Entity to which both the WebID and the ClientID correspond, it is also possible to assign this ClientWebID to it, and use it in both contexts. The only thing preventing us from doing that today is a bad interpretation of the WebID spec; but this will no longer be a problem once we incorporate OpenID Federation. EDIT: Shoutout to solid/solid-oidc#207, which will solve this 👍 |
Ok, I think I understood you @woutermont , I was just trying to make sure above to exclude the more bizzare interpretation. Perhaps can put it logically too. Let us say that we have a <#app> a :ClientWebID, oidc:AppId . That actually seems quite reasonable to me, and indeed it was considered by @acoburn quite early on, since he was arguing to allow WebIDs to have turtle representations for just that reason w3c/WebID#3 . |
Exactly 😄 That's why I find it so bizar that he keeps involving the User in the discussion. With regards to the logical notation, I don't think that you can put it that way, at least not in RDF: the identifier ( |
I agree. I just quickly grasped for those terms. But yes, something like <#app> a solid:App , oidc:Client . Do we have official terms for any of those types yet? |
There is |
In light of solid/solid-oidc#207,
|
Thanks for the clear points, @damooo! As you say, OpenID Federation allows a "bring-your-own" approach to ClientIDs (a.k.a. OIDC Dynamic Cient Registration, which is the current base of Solid-OIDC), and is thus indeed compatible with WebID (see also the examples at solid/solid-oidc#207 (comment) and higher up this issue. On the scope of the identifier, I must disagree with you. Both the WebID and the Entity Identifier (ClientID) must be globally unique (they are URIs), but neither must be unique for an app: a single app may have multiple WebIDs and/or Entity Identifiers (ClientID)s. For example: I can deploy an app on |
Scope, in the sense not just of identifier string scope. But about scope of applicability, and satisfaction of criteria for entire setup ( deref + hosting config + ..). One single setup as per above can seemlessly satisfy entire scope of webid. We can use that wherever webid is expected. But it is not the case for usage as oidc-entity uri. For that setup is bound to / scoped to one single federation with single config. There can be many work-arounds as specified above. The ideal case of having unique webid, and offering services in many federations with custom configurations is not possible, with webid also being entity-id. Ideally one should certainly be able to maintain single webid, to identify across whole spectrum of it's applicability. For users may want to say something about the app in federation agnostic way (review/ rate). It may be branding, accountability, etc... |
Correct, it is not "perfect" in that sense. I do not think that this is behaviour which OpenID Federation wants to encourage. An Automatically Registered Entity has a fixed Entity Identifier. Doing another Automatic Registration at a second Federation using a different Entity Configuration will thus require a different Entity Identifier anyway; regardless of a combo with WebID. The problem you describe is thus a problem of OpenID Federation itself. This issue only pointed out the fact that the combination of both roles by a single identifier was up till now not possible. With OpenID Federation it is; case closed. Let's leave it up to each implementer to decide if it is useful. |
Thank you all for your input. As pointed out by @woutermont, OIDC federation (see solid/solid-oidc#207), would indeed solve this issue. Thank you for bringing this issue to our attention, @acoburn! With OIDC federation, we could use the app's WebID as the app's ClientID and serve the contents that are currently in the ClientID document in a different document at another location. |
An app in Solid needs to have an identifier. The spec states that "WebIDs [...] are used as the primary identifier for users and applications." (Solid Protocol, Section 9.1).
However, currently, apps are not only identified by their WebID, but also by their ClientID.
This leads to inconsistencies that hinder implementation. Examples are:
Considering that the Solid spec states that WebIDs "should be the primary identifier for users and applications", it seems logical to continue with the WebID of an app and drop the ClientID of an app.
One solution would be to merge the information in both documents into one (WebID) document and serialise this information as desired using content negotiation.
However, in this solution, there would be a number of additional problems:
Accept
headersGiven the importance of keeping the specification consistent and the use of identifiers within Solid, I hope we can tackle this issue as fast as possible.
The text was updated successfully, but these errors were encountered: