Re: Usability and scalability of Solid-OIDC in a decentralized ecosystem from Virginia Balseiro on 2025-04-22 (public-solid@w3.org from April 2025)

From: Virginia Balseiro <info@virginiabalseiro.com>
Date: Tue, 22 Apr 2025 19:51:43 +0000
To: public-solid@w3.org
Message-ID: <ca29339c-519a-49c5-984c-97e515c62743@virginiabalseiro.com>

> Besides that dynamic identifiers are practically useless when setting a
> client restrictions using for example `
> acp:client
> ` matchers.

If operators can set client restrictions on certain operations and/or resources, then the user is not free to use whatever app they prefer or trust. Doesn't this break the whole 'user autonomy' concept?

> Do you seen the issues you mention still applicable when Client IDs
> which dereference to Client ID Documents are used?

If the client need to make themselves aware / known to the IDP via a manual registration process in some sort of registration or broker service to obtain certain credentials, then yes.

Just to be perfectly clear, I'm not questioning the security aspects so please abstain from security reassurances :) I'm sure it is secure, I am wondering how it fits into the selling points of Solid of using your preferred identity and applications, etc. I'm just wondering how it can scale if clients need to cater to specific IDPs.

> On 2025-04-22 09:30, Virginia Balseiro wrote:
>
>> Hi all, I want to ask a potentially silly question about Solid-OIDC :)
>>
>> AFAICT, with static registration, clients need to be very aware of
>> IDPs,
>> registering themselves statically (read: manually) on a particular
>> "broker" service. This means it is not particularly scalable for a
>> decentralized ecosystem.
>>
>> Dynamic client registration is perhaps more suitable for a
>> decentralized
>> ecosystem, but the benefits in terms of security seem marginal since
>> any
>> client can register themselves dynamically.
>>
>> In addition, there have been conversations (and there might have been
>> implementations) about potential restrictions of certain operations
>> and/or certain resources to particular clients means that users will
>> need to contact / request their RP / service providers to allow a
>> certain application that they prefer / trust.
>>
>> These approaches sound for sure very secure, but doesn't seem to align
>> to the promise of individuals having the "autonomy" that Solid is
>> supposed to offer.
>>
>> I may have misunderstood some of the technical details but it seems to
>> me (Solid-)OIDC's model isn't particularly fitting for Solid. My
>> question is, how would this be reasonably usable and scalable in a
>> decentralized / open ecosystem?
>>
>> Cheers,
>>
>> Virginia
>> https://virginiabalseiro.com/#me

Received on Tuesday, 22 April 2025 19:51:55 UTC