Skip to content

Add Issuer Trust to Security Considerations #254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jeswr wants to merge 1 commit into
base: main
Choose a base branch
from
+18 −0
Open

Add Issuer Trust to Security Considerations #254

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -525,6 +525,24 @@ data leaks should an attacker gain access to Client credentials.
Clients are ephemeral, client registration is optional, and most Clients cannot keep secrets. These,
among other factors, are what makes Client trust challenging.

## Issuer Trust ## {#security-issuer-trust}

*This section is non-normative*

A Solid-OIDC user's identity is asserted by the OpenID Provider listed in their WebID Profile via
`solid:oidcIssuer`. Implementers and end-users should consider the trust they place in that issuer:

* **Issuer trust is unconditional.** Every assertion of the user's identity comes from the issuer.
The user is fully reliant on it; a compromised, malicious, or unavailable issuer can deny access
to all of the user's data, impersonate the user, or selectively rewrite the WebID's
identity-related claims. A high degree of trust in the chosen issuer is therefore necessary.
Comment on lines +535 to +538
Copy link
Copy Markdown
Member Author

@jeswr jeswr Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* **Issuer trust is unconditional.** Every assertion of the user's identity comes from the issuer.
The user is fully reliant on it; a compromised, malicious, or unavailable issuer can deny access
to all of the user's data, impersonate the user, or selectively rewrite the WebID's
identity-related claims. A high degree of trust in the chosen issuer is therefore necessary.
* **Identity Provider trust.** Every assertion of the user's identity comes from the identity provider.
The user is fully reliant on it; a compromised, malicious, or unavailable identity provider can deny access
to all of the user's data, impersonate the user, or selectively rewrite the WebID's
identity-related claims. A high degree of trust in the chosen identity provider is therefore necessary.


Copy link
Copy Markdown
Member Author

@jeswr jeswr Jun 3, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The authorization server has to choose to trust the identity provider selected by the user before granting access. This choice may be to delegate the choice completely to users, or to restrict the set of identity providers to a specific trust list.

* **Many agents on a single issuer is a single point of failure.** Where many agents share a single
issuer, that issuer is a concentration point: a single compromise, outage, or service-level
decision affects every agent that depends on it. Attacks tend to focus on major centralisations,
so concentration risk grows with the issuer's user base. Implementations offering accounts under
a shared issuer should plan for this risk.
Comment on lines +540 to +544
Copy link
Copy Markdown
Member Author

@jeswr jeswr Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* **Many agents on a single issuer is a single point of failure.** Where many agents share a single
issuer, that issuer is a concentration point: a single compromise, outage, or service-level
decision affects every agent that depends on it. Attacks tend to focus on major centralisations,
so concentration risk grows with the issuer's user base. Implementations offering accounts under
a shared issuer should plan for this risk.
* **The identity provider service is an point of failure.** Identity provider(s) are required to attest an agents identity. Not all authentication methods require an identity provider service, this is a specific requirement of Solid-OIDC.
Agents may have multiple identity providers. Having multiple identity providers can provide redundancy in the event of an outage of one identity provider service. The trade-off is that this increases the attack surface of malicious identity providers.
Where many agents share a single identity provider, that identity provider is a concentration point: a single compromise, outage, or service-level decision affects every agent that depends on it. Attacks tend to focus on major centralisations, so concentration risk grows with the issuer's user base. Implementations offering accounts under a shared issuer should plan for this risk.


# Privacy Considerations # {#privacy}

## OIDC ID Token Reuse ## {#privacy-token-reuse}
Expand Down