IDP delegation protocol ? from Olivier Berger on 2012-07-10 (public-webid@w3.org from July 2012)

From: Olivier Berger <olivier.berger@it-sudparis.eu>
Date: Tue, 10 Jul 2012 19:01:00 +0200
To: public-webid@w3.org
Message-ID: <874npfy2ib.fsf@inf-8657.int-evry.fr>

Hi.

I've made a few tests using Melvin's libAuthentication PHP library
(actually with our fork at [0]) and I'm wondering if there ain't some
shortcomings with the current "IDP" delegation protocol which is
implemented by foafssl.org/srv/idp and auth.my-profile.eu/auth/index.php
(using the authreqissuer, signed response, etc.)

First is this specified somewhere ?


Then, the problem I found with the current "protocol" implementation :

Melvin's implementation chooses a default IdP (foafssl.org) and declares
its cert statically in the code, so if you don't use that one, for
instance with a :
 https://auth.my-profile.eu/auth/index.php?authreqissuer=http://myapp.com/index.php
then it's difficult to instruct $auth->isAuthenticated() that another
service's cert must be used to check the sig.

It seems that Andrei implemented a referer= arg passed with the
response, which can help find another cert in the store, so
auth.my-profile.eu/auth will respond with something like :
http://myapp.com/index.php?webid=...&ts=...&sig=...&referer=https://auth.my-profile.eu

But that doesn't warrant I should trust this parameter, unless it is
signed by the IdP (which isn't the case at the moment).

So... my understanding is that there should be some kind of a "from"
origin of the IdP's response, passed back in the signed part of the
response, (maybe called referer, but I fear some confusion with the HTTP
server referer).

So the lib could first get that from, find the corresponding cert in its
store of trusted IdP, and check the signature with that cert's pubkey,
wich would then validate that we can trust this IdP and declare
delegated authenticate succesful.

I thinks OAuth has already covered much of these aspects (in the 2 legs
variant IIRC), so I'm really wondering if that's worth implementing such
a novel protocol instead of relying on Oauth...

Any comments, opinions ?

Thanks in advance.

[0] https://github.com/WebIDauth/libAuthentication

P.S.: FYI, I'm working on trying to implement WebID auth for
FusionForge... hence looking for PHP libs, and testing ;)
-- 
Olivier BERGER 
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)

Received on Tuesday, 10 July 2012 17:01:30 UTC