Re: "Logged in with fedsocweb" from Markus Sabadello on 2012-07-08 (public-fedsocweb@w3.org from July 2012)

From: Markus Sabadello <markus.sabadello@gmail.com>
Date: Sun, 8 Jul 2012 18:29:00 +0200
To: Michiel de Jong <michiel@unhosted.org>
Cc: public-fedsocweb@w3.org
Message-ID: <CAJF45PRHq8Bai_9np1cTQFun=sg6J=pnUESsbpGgnZhGVRHJWg@mail.gmail.com>

A. In OpenID there's something called the UserInfo endpoint (In OAuth
terminology, that's the protected resource). So you could request the list
of friends, and other things directly from that UserInfo endpoint, simply
as part of the normal OAuth flow.

OR

B. We could have a standard Linked Data endpoint from which you get the
list of friends and other stuff, and we could protect that endpoint with
the OpenID Connect token.

So the flow would be something like this I think

1. User goes to relying party website
2. Relying party website asks "Plz sign in with OpenID Connect"
3. User types their FedSocWeb address (Webfinger), which is also their OIDC
identifier
4. Relying party website redirects to the user's personal OpenID Connect
IdP [which could be on a FreedomBox, or on a self-hosted
status.netinstance, etc]
5. User types password or authenticates in some other way [e.g. with a
Yubikey plugged into their FreedomBox]
6. OIDC IdP redirects user back to relying party website
7. Relying party website receives access token
8. (in case of A above): Relying party talks to UserInfo endpoint to
receive user ID plus additional information such as list of friends
8. (in case of B above): Relying party talks to UserInfo endpoint to
receive user ID, then talks to Linked Data endpoint to receive list of
friends.

Or something like that..

I know the standard authn/authz mechanism for Linked Data is WebID/WebACL,
but shouldn't OAuth/OIDC work too?

Markus

On Sun, Jul 8, 2012 at 5:31 PM, Michiel de Jong <michiel@unhosted.org>wrote:

> On Sun, Jul 8, 2012 at 6:15 PM, Michiel de Jong <michiel@unhosted.org>
> wrote:
> > interrelated). but only saying 'nodes should implement OpenID Connect'
> > is not enough to solve these two use cases, i think? Scanning over
> > http://openid.net/connect/ i see no explicit mention of friend lists,
> > but maybe i didn't read carefully enough?
>
> ah, found it - "Open source protocols such as Portable Contacts can be
> used with OpenID to offer your site access to a user’s address book
> and friends lists." on http://openid.net/add-openid/
>
> so yeah that makes sense to me. require webfinger + openid connect +
> poco for normal users, or as a power user alternative, the same but
> using a client-side cert instead of a password.
>
> poco is already in OStatus, so that's good. would have to set up a
> demo of this and then describe it on the wiki.
>
>

Received on Sunday, 8 July 2012 16:29:28 UTC