peers-bounty-hunts/projects/openid-for-self-sovereign-id.md

OpenID Server for Self-Sovereign Identity Project

Key Requirements

1. Implement an OpenID Connect identity provider that works with SSI.
2. Allow users with Self-Sovereign IDs (SSI) to identify without the use of a password.
3. Disable user/password-base authentication.

Why

1. Leverage existing OpenID infrastructure to extend the use of SSI for servers that have OpenID but not SSI.

Stories

1. SSI users want to sign on to a website that has OpenID, but does not currently support SSI.

Nice-to-haves

• Log what remote systems have used the ID provider at authentication-time for a given user.

Additional sibling project ideas

• Implement a meta project in ansible to install on a web server.
• Implement an SSI client via the CLI.
• Implement an identity layer library for application-layers to call instead of a library over the transport-layer. This would use, but hide TLS, for example.

Suggestions

• Reuse an existing implementation of an OpenID Connect IP provider.
• The sibling project for an SSI application currently remains in progress. So until then, this project might benefit from a thin client for SSI that runs from the terminal.
• While some aspnet and java version exist, and could have good design, stick with a language framework from a more freedom respecting company.

FAQ

Aren't OpenID and OAuth two different things?

OpenID Connect (basically v3) is a layer on top OAuth.

References

• OpenID Connect
• OpenIddict - active ASP.NET Core implementation
• MITREid Connect - active Java Spring implementation
• A Python OpenID Connect implementation - active and the name says it all