Re: Documenting WebID + Shared Secret

On Tue, 5 May 2020 at 00:13, Melvin Carvalho <melvincarvalho@gmail.com>
wrote:

> Was chatting to Kingsley and Dmitri lately and I realized that quite often
> WebID over HTTP is authenticated via a shared secret.  Namely a cookie.
>
> We realized that this is not documented anywhere.  And I asked dmitri
> about it usage.  Im just capturing the responses here.
>
> "I think all Solid servers use cookies (and store the WebID in the cookie
> session) as a local authentication method, in addition to TLS and OIDC.
> It's very convenient; the only reason it's not the main mechanism is of
> course, it's domain-specific."
>
> and
>
> "I don't think it's written up anywhere. I think it's because each
> implementation's cookie session mechanism is slightly different.
> But usually, it goes like:
>
> 1. When a user logs in (via username and password, or TLS, or OIDC token),
> you put their WebID in your session. (request.session.webId = <user's
> authenticated webId>)
> 2. In all the other requests, you just use request.session.webId directly.
>
> And the server's (Express.js, or whatever the other ones are using)
> session cookie store takes care of it."
>
> This actually might be one of the more common types of WebID auth.
>
> Would it be worth writing up, and should it be called:
>
> WebID + Cookie or
> WebID + Shared Secret?
>

CC'ing dmitri on this

Just looking at the change log:

https://github.com/solid/node-solid-server/blame/19d1bf0ff5a9a59bb59300b8fce3bfcd038d0ea7/CHANGELOG.md

Dmitri's work on node solid server seems to have included cookies, but it
may have been disabled at some point after

I'd like to capture some of this information here.  And also could we put
it in our knowledge base somewhere, e.g. in the wiki, or make a new spec
etc.?