LWS Authentication

README.md

@@ -3,13 +3,16 @@
 This is the repository for lws-protocol. You're welcome to contribute! Let's make the Web rock our socks
 off!
 To see the most recent HTML rendered version of the specification from this repository can be found at the following:
- * [LWS Protocol](https://w3c.github.io/lws-protocol/spec/)
+ * [LWS Protocol](https://w3c.github.io/lws-protocol/lws10-core/)
 
 
 ## (1.0) Specs:
 
-- [core](lws10-core/)
-- [authn-openid](lws10-authn-openid/)
+- [`core`](lws10-core/): Core protocol
+- [`authn-openid`](lws10-authn-openid/): OpenID Connect Authentication Suite
+- [`authn-saml`](lws10-authn-saml/): SAML 2.0 Authentication Suite
+- [`authn-ssi-cid`](lws10-authn-ssi-cid): Self-signed Controlled Identifier Authentication Suite
+- [`authn-ssi-did-key`](lws10-authn-ssi-did-key): Self-signed `did:key` Authentication Suite
 
 
 ## Contribution Guidelines:

lws10-authn-openid/index.html

@@ -2,25 +2,20 @@
 <html lang="en">
   <head>
     <meta charset="utf-8">
-    <title>LWS Protocol</title>
+    <title>LWS Authentication Suite: OpenID Connect</title>
     <script src="https://www.w3.org/Tools/respec/respec-w3c" class="remove"></script>
     <link rel="stylesheet" href="local.css"/>
     <script class='remove'>
       // See https://respec.org/docs/ for how to configure ReSpec
       var respecConfig = {
         specStatus: "ED",
-        shortName: "lws-protocol",
+        shortName: "lws-authn-openid",
         editors: [{
-          name: "Pierre-Antoine Champin"
-        }, {
-          name: "ericP"
-        }, {
           name: "Jesse Wright"
         }, {
-          name: "Erich Bremer"
+          name: "Aaron Coburn"
         }],
         github: "w3c/lws-protocol",
-        shortName: "authn-openid",
         xref: ["web-platform"],
         group: "lws",
       };
@@ -29,7 +24,7 @@
   <body>
     <section id="abstract">
       <p>
-        This document defines how to identify and validate end-user agents, enabling authorization claims to be enforced by Linked Web Storage Authorisation Servers.
+        This document defines an OpenID Connect-based authentication suite for the Linked Web Storage (LWS) protocol, enabling LWS applications to integrate with OpenID providers.
       </p>
     </section>
     <section id="sotd">
@@ -41,12 +36,178 @@
     <section id="introduction">
       <h2>Introduction</h2>
       <p>
-        This document defines a mechanism for identifying agents and end users that plan to interact with a linked web storage server.
-        This specification does not mandate a particular format for end-user credentials, though it does describe how existing identity systems can be used in conjunction with the linked web storage authorization framework.
+        OpenID Connect is a widely used mechanism for web-based authentication. This authentication suite describes how an OpenID provider can be used with Linked Web Storage-conforming applications.
+      </p>
+    </section>
+    <section id="conformance"></section>
+
+    <section id="terminology">
+      <h2>Terminology</h2>
+
+      <p>
+        The terms "authorization server" and "client" are defined by The OAuth 2.0 Authorization Framework [[!RFC6749]].
+      </p>
+
+      <p>
+        The terms "OpenID provider", "id token", "end-user", and "issuer" are defined by OpenID Connect Core 1.0 [[!OPENID-CONNECT-CORE]].
+      </p>
+
+      <p>
+        The term "openid connect discovery" is defined by OpenID Connect Discovery 1.0 [[!OPENID-CONNECT-DISCOVERY]].
+      </p>
+
+      <p>
+        The term "controlled identifier document" is defined by W3C Controlled Identifiers 1.0 [[!CID-1.0]].
+      </p>
+
+      <p>
+        The terms "JSON Web Token (JWT)" and "claim" are defined by JSON Web Token [[!RFC7519]].
+      </p>
+
+      <p>
+        The term "JSON Web Key (JWK)" is defined by JSON Web Key [[!RFC7517]].
+      </p>
+
+      <p>
+        The terms "end-user credential" and "authentication suite" are defined by Linked Web Storage Protocol [[!LWS-PROTOCOL]]
+      </p>
+    </section>
+
+    <section id="serialization">
+      <h2>End-User Credential Serialization</h2>
+
+      <p>
+        OpenID Connect defines a protocol for producing signed ID Tokens, which are used to describe an end-user.
+        An ID Token is serialized as a signed JSON Web Token (JWT). In order to use an ID Token as an LWS end-user credential,
+        the following additional requirements apply.
+      </p>
+
+      <ul>
+        <li>
+          The ID Token MUST NOT use "none" as the signing algorithm.
+        </li>
+
+        <li>
+          The ID Token MUST use the <code>sub</code> (subject) claim for the LWS subject identifier.
+        </li>
+
+        <li>
+          The ID Token MUST use the <code>iss</code> (issuer) claim for the LWS issuer identifier.
+        </li>
+
+        <li>
+          The ID Token MUST use the <code>azp</code> (authorized party) claim for the LWS client identifier.
+        </li>
+
+        <li>
+          Any audience restriction in the ID Token MUST use the <code>aud</code> (audience) claim.
+          The <code>aud</code> claim SHOULD include the client identifier and any additional target
+          audience such as an authorization server.
+        </li>
+      </ul>
+
+      <p>
+        An example ID Token that is also an LWS end-user credential is included below.
+      </p>
+
+      <pre id="example-id-token" class="example">
+{
+  "typ": "JWT",
+  "kid": "12dbe73a",
+  "kty": "EC",
+  "alg": "ES256",
+  "crv": "P-256"
+}
+.
+{
+  "sub": "https://id.example/end-user",
+  "iss": "https://openid.example",
+  "azp": "https://client.example/17da1b",
+  "aud": ["https://client.example/17da1b", "https://as.example"],
+  "iat": 1761313600,
+  "exp": 1761313900
+}
+.
+signature
+      </pre>
+    </section>
+
+    <section id="validation">
+      <h2>End-User Credential Validation</h2>
+
+      <p>
+        For an ID Token to validate as an LWS end-user credential,
+        there must be a trust relationship between the verifier and the issuing party.
+      </p>
+
+      <p>
+        In the absence of a pre-existing trust relationship, the validator MUST dereference the <code>sub</code> (subject) claim in the end-user credential.
+        The resulting resource MUST be formatted as a valid controlled identifier document [[!CID-1.0]] with an <code>id</code> value equal to the subject identifier.
+      </p>
+
+      <p>
+        The verifier MUST use the subject's controlled identifier document to locate a service object whose <code>serviceEndpoint</code> value
+        is equal to the value of the <code>iss</code> claim from the end-user credential, and whose <code>type</code> value is equal to <code>https://www.w3.org/ns/lws#OpenIdProvider</code>.
+        The verifier MUST perform OpenID Connect Discovery to locate the public portion of the JSON Web Key (JWK) used to sign the end-user credential.
+        The JWT MUST be validated as described by OpenID Connect Core Section 3.1.3.7 [[!OPENID-CONNECT-CORE]].
       </p>
 
       <p>
-        This document also covers a variety of security, privacy, internationalization, and accessibility considerations for ecosystems that use the technologies described in this specification.
+        An example Controlled Identifier Document for an agent using OpenID Connect is included below.
+      </p>
+
+      <pre id="example-cid" class="example">
+{
+    "@context": [
+        "https://www.w3.org/ns/cid/v1"
+    ],
+    "id": "https://id.example/end-user",
+    "service": [{
+        "type": "https://www.w3.org/ns/lws#OpenIdProvider",
+        "serviceEndpoint": "https://openid.example"
+    }]
+}
+      </pre>
+    </section>
+
+    <section id="token-type">
+      <h2>Token Type Identifier</h2>
+
+      <p>
+        An ID Token used as an end-user credential MUST use the <code>urn:ietf:params:oauth:token-type:id_token</code> URI when interacting with an authorization server.
       </p>
+
+    </section>
+
+    <section id="security-considerations" class="informative">
+      <h2>Security Considerations</h2>
+
+      <p>
+        All security considerations described in "Best Current Practice for OAuth 2.0 Security" [[RFC9700]] and "OpenID Connect Core 1.0" Section 16 [[OPENID-CONNECT-CORE]] apply to this specification.
+      </p>
+
+      <p>
+        An OpenID provider should support a mechanism to restrict the audience of an end-user credential to a limited set of entities, including an authorization server.
+        One mechanism for achieving this is to use Resource Indicators for OAuth 2.0 [[RFC8707]].
+        A client in possession of an end-user credential with no audience restrictions should exchange this token for an equivalent audience-restricted token by using, for example, OAuth 2.0 Token Exchange [[RFC8693]].
+      </p>
+
+      <p>
+        An OpenID provider should provide support for "OAuth 2.0 Authorization Server Issuer Identification" [[RFC9207]] by including an <code>iss</code> parameter in the authorization response of an OAuth flow.
+      </p>
+
+      <p>
+        An OpenID provider should provide support for end-user logout, such as RP-Initiated Logout 1.0.
+      </p>
+
+      <p>
+        The issuer of an end-user credential is responsible for validating the client identifier.
+        The issuer may use mechanisms such as OAuth Client Metadata Document, OAuth 2.0 Client Id Prefix, or OpenID Federation.
+      </p>
+
+      <p>
+        It is recommended that OpenID providers support WebAuthn [[WEBAUTHN-3]] as a mechanism for authenticating users.
+      </p>
+    </section>
   </body>
 </html>