Scenario: Alice, using her browser, wants to access resources on server bob.example, authenticating herself as the owner of server alice.example (or a specific resource on it)
Original answer: use WebID-TLS. But support in the browser has issues, so what are some alternatives?
- Proxy-TLS: Alice talks to her pod, while her pod uses WebID-TLS to talk to bob.example. Her secret key remains on her pod.
- Digital Signatures: Alice signs her request to bob.example using a (non-TLS) private key; bob verifies with public key obtained from alice.example
- Token Confirmation: A secret bearer token passes through all three parties, confirming to bob.example that the client controls alice.example
Candidates | Proxy | Digital Signatures | Token Confirmation |
---|---|---|---|
Homegrown Design | TBD | WebID RSA | SPOT |
Community Design | TBD | HTTP Signatures | IndieAuth |
Two more token confirmation approaches:
- EvanP's Dialback I-D, Issues Abandoned.
- Melvin's Solid Cookies Uses just existing solid protocol
|WebID RSA|HTTP-Sig|SPOT|IndieAuth ---|---|---|---|--- User identifier|WebId|??|Web Page|Web Page Works in browser with JS off|N|N|N|Yes (OAuth Flow) Discovery|GET RDF|??|HTTP Headers|Parse HTML + HTTP Headers Profile can be on static site|Y|Y|N|Y Implementations|-|Digital Bazaar?|-|Several in IndieWebCamp Client round trips| Patent Status|