openid-for-self-sovereign-id.md 1.9 KB
OpenID Server for Self-Sovereign Identity Project
Key Requirements
- Implement an OpenID Connect identity provider that works with SSI.
- Allow users with Self-Sovereign IDs (SSI) to identify without the use of a password.
- Disable user/password-base authentication.
Why
- Leverage existing OpenID infrastructure to extend the use of SSI for servers that have OpenID but not SSI.
Stories
- SSI users want to sign on to a website that has OpenID, but does not currently support SSI.
Nice-to-haves
- Log what remote systems have used the ID provider at authentication-time for a given user.
Additional sibling project ideas
- Implement a meta project in ansible to install on a web server.
- Implement an SSI client via the CLI.
- Implement an identity layer library for application-layers to call instead of a library over the transport-layer. This would use, but hide TLS, for example.
Suggestions
- Reuse an existing implementation of an OpenID Connect IP provider.
- The sibling project for an SSI application currently remains in progress. So until then, this project might benefit from a thin client for SSI that runs from the terminal.
- While some aspnet and java version exist, and could have good design, stick with a language framework from a more freedom respecting company.
FAQ
Aren't OpenID and OAuth two different things?
OpenID Connect (basically v3) is a layer on top OAuth.
References
- OpenID Connect
- OpenIddict - active ASP.NET Core implementation
- MITREid Connect - active Java Spring implementation
- A Python OpenID Connect implementation - active and the name says it all