Re: Solid App Authorization from Henry Story on 2019-07-31 (public-solid@w3.org from July 2019)

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 31 Jul 2019 23:31:49 +0200
To: Alexandre Bourlier <alexandre.bourlier@gmail.com>
Cc: Michael Pigott <mpigott@ironhorsesoftware.com>, public-solid <public-solid@w3.org>
Message-Id: <338DDE25-1464-4478-A0CE-615BC0ED720A@bblfish.net>

There is an alternative that would be very close to 
WebID-TLS and that would work very well with 
HTTP2.0 and that is using HTTP-Signatures and JS-Crypto.
See my implementation from a few years back

Server side:
https://github.com/read-write-web/akka-http-signature <https://github.com/read-write-web/akka-http-signature>
It has all the links to the docs

and I think the use of JS-Crypt on the client is here
https://github.com/read-write-web/solid-client
But I need to update it.

This has all the efficiency advantages of WebID-TLS 
but does not have the UI built in that could have been
hoped for with client certificates (though key gen still
works in Netscape I hear)

Henry Story


> On 31 Jul 2019, at 08:56, Alexandre Bourlier <alexandre.bourlier@gmail.com> wrote:
> 
> Hi Michael,
> 
> As far as I know, WebID-TLS is not going to happen by lack of browser support for the standard.
> 
> I believe WebID-OIDC is the recommended way to authenticate an app to a POD. At least, that is how we do it at Startin'blox 😉
> 
> I do not know what DID is though.
> 
> I hope this helps
> 
> 
> On Wed, Jul 31, 2019, 00:06 Michael Pigott <mpigott@ironhorsesoftware.com <mailto:mpigott@ironhorsesoftware.com>> wrote:
> Hello Solid WC!
>     I have been working on https://solid.vip <https://solid.vip/> today, which is a project to build a user profile by combining public information from existing social media accounts (LinkedIn, GitHub, Twitter, Facebook, and Google) and putting the information on a single-page profile.  My own user profile looks like this: http://mpigott.solid.vip/ <http://mpigott.solid.vip/>.
>     The next feature I would like to add is to allow the user to import the data into a Solid POD.  However, I am not sure what the preferred way to authenticate an application is; it seems like much of the Solid platform is still in flux.  Is there a recommended spec I should follow (WebID-TLS, WebID-OIDC, DID) in order to allow someone with a Solid POD to import the data from the generated profile?
> 
> Thanks!
> Mike
>

Received on Wednesday, 31 July 2019 21:32:18 UTC