An application can easily get around apps permissions

Hello again,

I have understood a few things lately, and this issue is addressed by the “new” authentication workflow described at https://github.com/solid/authentication-panel/blob/master/oidc-authentication.md.

Indeed, the openid provider now signs a token binding together the application’s origin, the webid of the user, and the public key of the user. So under the new Multi-RS use case, it will be easy to check that the app removed the Origin header.

1 Like