id token used as bearer token

[michielbdejong]

In https://github.com/solid/test-suite/blob/master/testers/rdf-fixtures/fixture-tables/http-put-check-acl.ttl#L32 and other places, the id token from the IDP is used as a bearer token. Instead, it should be wrapped into a PoP token, as described in https://github.com/solid/webid-oidc-spec/blob/master/application-user-workflow.md#5-generates-a-privatepublic-key-pair

cc @jaxoncreed @dmitrizagidulin @kjetilk

[kjetilk]

OK, I don't understand the ramifications of this issue.

Is there a simple fix for this that could in principle be done right now in a few hours, or something that would require more work and possibly be incompatible with older systems?

[acoburn]

Just noting that the wrapped PoP token is something that is changing with the new webid-oidc specification. The new mechanism will make use of DPoP. Effectively, this means that a client will send requests with these headers:

Authorization: DPoP <access-token>
DPoP: <proof-of-possession-token>

The access-token will have a cnf claim that references the fingerprint of a public key, and the pop-token will embed that public key. The PoP token also scopes the request to a particular URL with a particular HTTP method. This glosses over a lot of details, but that's the high-level view of what goes on.

[michielbdejong]

Thanks for the link! Where can we read more about the new mechanism?

[acoburn]

The new mechanism is in the process of being formalized within the Authentication panel, but you can see the current state of the proposal. The pull requests on that repo will also give some more in-process detail, but my understanding is that, generally speaking, the proposal will combine DPoP with some of the WebID-specific details that are part of the existing webid-oidc spec.

/cc @dmitrizagidulin