Support for RFC 9207 (Authorization Response Issuer Identification)

[uvdsl]

I would like to volunteer to do my bit of editing on the Solid-OIDC specification, starting with this proposal.

I have a implemented solid-oidc-client-browser, and following up the discussion in #221, I would like to propose adding the there outlined mechanism of [RFC9207], in accordance with the Current Best Practice [RFC9700].

[RFC9207] prevents Mix-up Attacks by requiring the Identity Provider to return an iss parameter alongside the authorization code. This allows the client to verify that the response originated from the intended provider, which is particularly critical in the decentralized environment that Solid facilitates where clients often interact with multiple, dynamic OPs discovered via WebIDs.

Requirement for RFC 9207

Current Best Practice [RFC9700] declare defense against mix-up attacks REQUIRED if a client may interact with multiple Authorization Servers (i.e., Identity Providers in our case). To do so, they recommend either supporting [RFC9207] or choosing an alternative.

In Solid-OIDC

• it is assumed that there does not pre-exist a trust relationship between client and Identity Provider, and
• thus clients are expected to interact with multiple different Identity Providers, and
• the specification does not mandate an alternative defense against mix-up attacks

Therefore, supporting [RFC9207] is a requirement.

Implementation Experience

Supporting [RFC9207] in the client library was straight forward and required only a few lines of code. See also uvdsl/solid-oidc-client-browser#12 on the server-support of [RFC9207]:

Already supported by

• the Solid Community Server (CSS)
• Pivot as a fork of CSS
• Graphmetrix' TrinPod
• Inrupt's Enterprise Solid Server (ESS), e.g., deployed at PodSpaces

Close to support

• the Node Solid Server (NSS) (should be supported as of version 6, though I did not yet come around to testing it)
• the PHP implementations, i.e. the PHP Solid Server and Nextcloud Plugin, are on track to supporting it

Status unkown

• https://github.com/NoelDeMartin/lss
• https://github.com/manomayam/manas

[elf-pavlik]

#244 has fix for the build breaking on CI

latest version was generated quite some time ago, i saw in my local output that formatting for authors links doesn't work any more, there might be some other things that will break.

Locally I used latest version 7.0.7 from nix packages via devbox https://www.nixhub.io/packages/bikeshed