This document defines an OpenID Connect-based authentication suite for the Linked Web Storage (LWS) protocol, enabling LWS applications to integrate with OpenID providers.
This is an unofficial proposal.
OpenID Connect is a widely used mechanism for web-based authentication. This authentication suite describes how an OpenID provider can be used with Linked Web Storage-conforming applications.
The terms "authorization server" and "client" are defined by The OAuth 2.0 Authorization Framework [[!RFC6749]].
The terms "OpenID provider", "id token", "end-user", and "issuer" are defined by OpenID Connect Core 1.0 [[!OPENID-CONNECT-CORE]].
The term "openid connect discovery" is defined by OpenID Connect Discovery 1.0 [[!OPENID-CONNECT-DISCOVERY]].
The term "controlled identifier document" is defined by W3C Controlled Identifiers 1.0 [[!CID-1.0]].
The terms "JSON Web Token (JWT)" and "claim" are defined by JSON Web Token [[!RFC7519]].
The term "JSON Web Key (JWK)" is defined by JSON Web Key [[!RFC7517]].
The terms "end-user credential" and "authentication suite" are defined by Linked Web Storage Protocol [[!LWS-PROTOCOL]]
OpenID Connect defines a protocol for producing signed ID Tokens, which are used to describe an end-user. An ID Token is serialized as a signed JSON Web Token (JWT). In order to use an ID Token as an LWS end-user credential, the following additional requirements apply.
sub (subject) claim for the LWS subject identifier.
iss (issuer) claim for the LWS issuer identifier.
azp (authorized party) claim for the LWS client identifier.
aud (audience) claim.
The aud claim SHOULD include the client identifier and any additional target
audience such as an authorization server.
An example ID Token that is also an LWS end-user credential is included below.
{
"typ": "JWT",
"kid": "12dbe73a",
"kty": "EC",
"alg": "ES256",
"crv": "P-256"
}
.
{
"sub": "https://id.example/end-user",
"iss": "https://openid.example",
"azp": "https://client.example/17da1b",
"aud": ["https://client.example/17da1b", "https://as.example"],
"iat": 1761313600,
"exp": 1761313900
}
.
signature
For an ID Token to validate as an LWS end-user credential, there must be a trust relationship between the verifier and the issuing party.
In the absence of a pre-existing trust relationship, the validator MUST dereference the sub (subject) claim in the end-user credential.
The resulting resource MUST be formatted as a valid controlled identifier document [[!CID-1.0]] with an id value equal to the subject identifier.
The verifier MUST use the subject's controlled identifier document to locate a service object whose serviceEndpoint value
is equal to the value of the iss claim from the end-user credential, and whose type value is equal to https://www.w3.org/ns/lws#OpenIdProvider.
The verifier MUST perform OpenID Connect Discovery to locate the public portion of the JSON Web Key (JWK) used to sign the end-user credential.
The JWT MUST be validated as described by OpenID Connect Core Section 3.1.3.7 [[!OPENID-CONNECT-CORE]].
An example Controlled Identifier Document for an agent using OpenID Connect is included below.
{
"@context": [
"https://www.w3.org/ns/cid/v1"
],
"id": "https://id.example/end-user",
"service": [{
"type": "https://www.w3.org/ns/lws#OpenIdProvider",
"serviceEndpoint": "https://openid.example"
}]
}
An ID Token used as an end-user credential MUST use the urn:ietf:params:oauth:token-type:id_token URI when interacting with an authorization server.
All security considerations described in "Best Current Practice for OAuth 2.0 Security" [[RFC9700]] and "OpenID Connect Core 1.0" Section 16 [[OPENID-CONNECT-CORE]] apply to this specification.
An OpenID provider should support a mechanism to restrict the audience of an end-user credential to a limited set of entities, including an authorization server. One mechanism for achieving this is to use Resource Indicators for OAuth 2.0 [[RFC8707]]. A client in possession of an end-user credential with no audience restrictions should exchange this token for an equivalent audience-restricted token by using, for example, OAuth 2.0 Token Exchange [[RFC8693]].
An OpenID provider should provide support for "OAuth 2.0 Authorization Server Issuer Identification" [[RFC9207]] by including an iss parameter in the authorization response of an OAuth flow.
An OpenID provider should provide support for end-user logout, such as RP-Initiated Logout 1.0.
The issuer of an end-user credential is responsible for validating the client identifier. The issuer may use mechanisms such as OAuth Client Metadata Document, OAuth 2.0 Client Id Prefix, or OpenID Federation.
It is recommended that OpenID providers support WebAuthn [[WEBAUTHN-3]] as a mechanism for authenticating users.