Security considerations for integrity of solid:oidcIssuer triples

[Otto-AA]

I am not sure if this is the correct specification, but I'd suggest to add security considerations for the write/changability of the solid:oidcIssuer triple in the WebID profile.

The solid:oidcIssuer is used to verify that access token are created by the right entity for a WebID:

A WebID Profile lists the OpenID Providers who are trusted to issue tokens on behalf of the agent who controls the WebID.

In turn this means, if someone is able to add or change this triple in the profile, they can point it to a server under their control and create valid access tokens. Thus, append or write access to the profile indirectly gives access to anything the webID has access to.

I propose to add a Security Consideration along the lines of: "WebID providers SHOULD/MUST ensure the integrity of solid:oidcIssuer triples. Any agent that can modify or add solid:oidcIssuer triples to the WebID could impersonate this WebID."

In practice, this could be implemented in one of following ways:

• make the web ID readonly (I think this is what ESS does in combination with an extended profile)
• reject requests that modify or add solid:oidcIssuer triples to the webID, even if the agent has append/write access

[elf-pavlik]

Thank you @Otto-AA, there is also https://github.com/solid/webid-profile but since OIDC relies on it we can also add it here. /cc @VirginiaBalseiro

[jeff-zucker]

I am in favor of your second but not the first. I find the ESS approach of forbidding apps from editing the profile document much too restrictive. OTOH, if the IdP allows patches to the profile but intercepts them and disallows changes to oidcIssuer, that would seem to allow both security and user control over their own profile.,

[csarven]

The issuer is in and itself a point of failure when it is compromised.

[elf-pavlik]

We plan to discuss this issue next week https://github.com/orgs/solid/projects/16/views/3?pane=issue&itemId=65170443 on Tuesday