I am new to solid. I want to develop an app, so I start to learn how all of this works. Please be patient with me ; maybe I got things wrong.
In order to authenticate to a pod, I see 2 solutions: webid-oidc, and direct webid-tls. When I want to request a private resource, the server will by default send an “unauthorized” error code, and the expected behavior is that I would ask my pod to prove who I am to the server (webid-oidc). But I have also read about webid-tls, in which the server would (instead of sending unauthorized) ask me for a certificate, extract the webid from it, dereference it and check that the certificate authenticates me.
I only see advantages in webid-tls from the app developer perspective:
- way simpler, because all the crypto stuff is handled by the browser;
- more usable, because the user is prompted for a certificate (there is usually only one) and not for a server name (it is very easy to forget for intermittent users).
However, there has been mentions that this behavior is deprecated; why is it so?
I hope somebody with more knowledge than me will answer, but my guess is that this is because browsers don’t support the crypto APIs that are needed to make it easy to generate and install the certificates. Doing this yourself is too complicated for most of us, so unless browser makers step up it’s impractical. But as I say, I’m speculating.
Thank you for your answer! I have found https://www.w3.org/TR/WebCryptoAPI/ (WebCrypto); this can generate a keypair but there seems to be no way to add the private key to the browser certificate store! The firefox situation seems very sorry https://bugzilla.mozilla.org/show_bug.cgi?id=1088063
Should we get more vocal about this issue? Are there other problems with webid-tls?
By digging through this issue I noticed that it lead to heated debates when keygen was deprecated; I do not wish to bring back the discussion but I think this is a shame.
WebID-TLS from user perspective in Browsers is a debacle from several points of views. Browser could have fixed and improved it, but instead the situation got worse with the deprecation of keygen.
I think WebID-OIDC is what people can quite easily understand and use, since it does not differ much from what they know and are used to already .
BUT: I still wonder why WebID TLS should be removed completely… I think it could be a good option for non-human access, like IoT devices, server-to-server communication etc.
I think they are mostly incompatible: the server needs to choose how to respond to a request for a private resource. Either it requests a certificate, or it responds with unauthorized. Maybe we could have a request header to choose between these options? My understanding of the matter is still scarce, but of course being able to use curl on the command line with its built-in support for client certificates would be great.
As for webid-oidc, there is a huge difference in that the client needs to remember the name of the solid pod. If I understand correctly, the browser will not fill it in, because it could leak information in the DOM.