Authentication

[Markus Sabadello <markus.sabadello@xdi.org>]

So I am interested in the TC's opinions on how an XDI client can authenticate to an XDI server.

Link contracts specify authorization (i.e. who can do what under what conditions).
My understanding is that the link contract also specifies what authentication methods it allows.

I am thinking several authentication methods should be supported:

- Authentication with OpenID Connect token:
The client includes a token in the XDI message.
The server or the link contract would have to know what tokens would be accepted (from which issuer, etc.)

- Authentication with SAML token:
Similar to OpenID Connect.

- Authentication with signature:
The client includes a signature in the XDI message.
The server or the link contract would have to know what signatures would be accepted (certificate from which authority, etc.)

- Authentication with password:
The client includes a password (or a hash of it) in the XDI message.
In this case, the server or the link contract would have to know the correct password for a given sender.

So I am thinking, a link contract must specify
1. The allowed authentication method(s).
2. For each authentication method, the details (see above).

Should this information be expressed by additional XDI statements on the link contract?
Or is all of this part of the policy nodes, i.e. expressed in _javascript_?
The downside of expressing authentication in _javascript_ is that an XDI client can't ask the question what kind of authentication is needed.
Would some (or all) of the authentication information (e.g. a list of valid passwords) be "hidden" on the server and not visible in the graph or in _javascript_ at all?

Are there any examples out there, e.g. from OpenXDI?

thanks
Markus