Relying Party and ID token


#1

from https://gitter.im/solid/solid-spec?at=5bf849c5662131389408fa6b

Dame Lyngdoh @DameLyngdohNov 23 13:41
I’ve been reading the specifications about WebID and OIDC and I’m not getting the clarity of how exactly the mechanism is happening. When I register to a POD (for the very first time), does that mean that the POD server provides me the WebID?

Dmitri Zagidulin @dmitrizagidulin Nov 23 16:09
@DameLyngdoh yes, when you register / create an account, that gives you a WebID url.

Dame Lyngdoh @DameLyngdoh Nov 24 06:39
@dmitrizagidulin Ok. Now after I get the webID, when I log into a different PoD (different provider), this PoD will refer to the PoD which I had registered in, am I correct?

Dmitri Zagidulin @dmitrizagidulin Nov 24 06:41
when you log in to a different pod, that pod will get your webid (which is the url to your profile), so it will know where to look up your preferences etc
your webid is basically a globally unique user id
that all the pods can use without you registering with them. does that make sense?

Dame Lyngdoh @DameLyngdoh Nov 24 06:44
Yes. That makes sense. But what about credentials? Logging into the new PoD when my credentials are initially unknown to the server? (assuming I’m not using WebID-TLS and using OIDC)

Dmitri Zagidulin @dmitrizagidulin Nov 24 06:45
aha. so there is a delegation of credentials going on, via signatures
logging into a new pod (or any new app, really) - that’s called the Relying Party
or RP for short
and the RP gets handed a signed ID Token, as part of the OIDC workflow

Dame Lyngdoh @DameLyngdoh Nov 24 06:48
The OIDC token from the PoD I initially registered. So it all comes down to how OIDC/OAuth2 operates (with the token exchange)

Dmitri Zagidulin @dmitrizagidulin Nov 24 06:49
the ID Token has a couple of things, expirations, which RP it’s intended for (so that it can’t be reused everywhere), the WebID, and a digital signature from the user’s home pod
exactly, re token exchange
so in a way, the signature represents the home pod saying “the user has authenticated to me, and here is their user id (webid)”

Dame Lyngdoh @DameLyngdoh Nov 24 06:51
@dmitrizagidulin Thank you so much. This information is of great help to my work.

Dmitri Zagidulin @dmitrizagidulin Nov 24 06:51
np!