Re: Usability and scalability of Solid-OIDC in a decentralized ecosystem from Melvin Carvalho on 2025-04-22 (public-solid@w3.org from April 2025)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 22 Apr 2025 17:38:28 +0200
To: Virginia Balseiro <info@virginiabalseiro.com>
Cc: public-solid@w3.org
Message-ID: <CAKaEYh+8X6tQP7BGEcYfK-8muc6OYALZfhRoop0NDod=8dL0Hw@mail.gmail.com>

út 22. 4. 2025 v 17:32 odesílatel Virginia Balseiro <
info@virginiabalseiro.com> napsal:

> Hi all, I want to ask a potentially silly question about Solid-OIDC :)
>
> AFAICT, with static registration, clients need to be very aware of IDPs,
> registering themselves statically (read: manually) on a particular
> "broker" service. This means it is not particularly scalable for a
> decentralized ecosystem.
>
> Dynamic client registration is perhaps more suitable for a decentralized
> ecosystem, but the benefits in terms of security seem marginal since any
> client can register themselves dynamically.
>
> In addition, there have been conversations (and there might have been
> implementations) about potential restrictions of certain operations
> and/or certain resources to particular clients means that users will
> need to contact / request their RP / service providers to allow a
> certain application that they prefer / trust.
>
> These approaches sound for sure very secure, but doesn't seem to align
> to the promise of individuals having the "autonomy" that Solid is
> supposed to offer.
>
> I may have misunderstood some of the technical details but it seems to
> me (Solid-)OIDC's model isn't particularly fitting for Solid. My
> question is, how would this be reasonably usable and scalable in a
> decentralized / open ecosystem?
>

Hi Virginia,

Not a silly question at all — it’s a really thoughtful one!

Just to add a note: Solid-OIDC is only one option for authentication in
Solid. Before it came along, we had WebID-TLS, which leaned more toward
decentralization (albeit with its own quirks).

Over in the Nostr CG, we’ve also been exploring a different approach to
decentralized auth that I believe could scale beautifully. It’s called HTTP
Schnorr Authentication — simple, elegant, and grounded in cryptographic
identity:

https://nostrcg.github.io/http-schnorr-auth/

Still early days, but exciting directions ahead!

Best,
Melvin


>
> Cheers,
>
> Virginia
> https://virginiabalseiro.com/#me
>
>
>

Received on Tuesday, 22 April 2025 15:38:45 UTC