Options for resolving Issue #22
Scenario: Alice, using her browser, wants to access resources on server bob.example, authenticating herself as the owner of server alice.example (or a specific resource on it, like her WebID graph or profile)
Current solution: use WebID-TLS. But support in the browser has issues (see issue statement), so what are some alternatives?
- Proxy TLS: Alice talks to her pod, while her pod uses WebID-TLS to talk to bob.example. Her secret key remains on her pod.
- Digital Signatures: Alice signs her request to bob.example using a (non-TLS) private key; bob verifies with public key obtained from alice.example
- Token Confirmation: A secret bearer token passes through all three parties, confirming to bob.example that the client controls alice.example
| Candidates | Proxy | Digital Signatures | Token Confirmation |
|---|---|---|---|
| Homegrown Design | TBD | WebID-RSA, HTTP Signatures + ?? | SPOT,WebID-Tokens |
| Community Design | - | - | IndieAuth |
Note: I've been unable to find a spec for communicating the public key in http-sig, making it only one component in a solution, not a complete candidate. But I've heard of a demo where Manu used it for logging in, and Henry says he's implemented it, so maybe the spec exists somewhere.
Other:
- EvanP's Dialback I-D, Issues (Abandoned.)
- Wikipedia's list of Single Signon Systems 20-non-proprietary candidates
|WebID-RSA|HTTP-Sig|SPOT|WebID-Tokens|IndieAuth ---|---|---|---|---|--- User identifier|WebID|??|Web Page|WebID|Web Page Works in browser with JS off|N|N|N|N|Yes (OAuth Flow) Discovery|GET RDF|??|HTTP Headers|GET RDF|Parse HTML + HTTP Headers Profile can be on static site|Y|Y|N|Y|Y Implementations|-|Digital Bazaar?|-|-|Several in IndieWebCamp Client round trips| Patent Status|
You place the key at the URI of the key the client passes in the HTTPSig header.