Re: Documenting WebID + Shared Secret from Melvin Carvalho on 2020-05-05 (public-webid@w3.org from May 2020)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 5 May 2020 09:32:58 +0200
To: Aaron Coburn <acoburn@apache.org>
Cc: Martynas Jusevičius <martynas@atomgraph.com>, public-webid <public-webid@w3.org>
Message-ID: <CAKaEYhKVNjC9FDTk-ZHF49tqqJ32m8RWEn5zAWumXFbyhSoMQw@mail.gmail.com>

On Tue, 5 May 2020 at 01:20, Aaron Coburn <acoburn@apache.org> wrote:

> > I think all Solid servers use cookies
>
> No, not all Solid server use cookies for authentication. Some don't use
> cookies at all, even when they use OIDC-based authentication.
>

To clarify, I was quoting from the chat with Dmitri (who did the auth for
node-solid-server and made webid-oidc)

Do you know which servers may use a cookie, and which not?

That aside, do you think it's a good idea to document?


>
>
> On Mon, 4 May 2020 at 18:49, Martynas Jusevičius <martynas@atomgraph.com>
> wrote:
>
>> WebID-TLS does not require a cookie.
>>
>> On Tue, 5 May 2020 at 00.14, Melvin Carvalho <melvincarvalho@gmail.com>
>> wrote:
>>
>>> Was chatting to Kingsley and Dmitri lately and I realized that quite
>>> often WebID over HTTP is authenticated via a shared secret.  Namely a
>>> cookie.
>>>
>>> We realized that this is not documented anywhere.  And I asked dmitri
>>> about it usage.  Im just capturing the responses here.
>>>
>>> "I think all Solid servers use cookies (and store the WebID in the
>>> cookie session) as a local authentication method, in addition to TLS and
>>> OIDC. It's very convenient; the only reason it's not the main mechanism is
>>> of course, it's domain-specific."
>>>
>>> and
>>>
>>> "I don't think it's written up anywhere. I think it's because each
>>> implementation's cookie session mechanism is slightly different.
>>> But usually, it goes like:
>>>
>>> 1. When a user logs in (via username and password, or TLS, or OIDC
>>> token), you put their WebID in your session. (request.session.webId =
>>> <user's authenticated webId>)
>>> 2. In all the other requests, you just use request.session.webId
>>> directly.
>>>
>>> And the server's (Express.js, or whatever the other ones are using)
>>> session cookie store takes care of it."
>>>
>>> This actually might be one of the more common types of WebID auth.
>>>
>>> Would it be worth writing up, and should it be called:
>>>
>>> WebID + Cookie or
>>> WebID + Shared Secret?
>>>
>>

Received on Tuesday, 5 May 2020 07:33:24 UTC