WebID Glossary
Maintained by @kenrb
Purpose
Below is a list of definitions for important terms in common use related to WebID. Many of the definitions are intended to match existing terms in identity standards, in some cases adapted and constrained for relevance in the context of WebID.
This document is continually evolving. Feedback is welcome.
Definitions
Authentication
- Process used by an Identity Provider to achieve sufficient confidence in the binding between the and a presented identity.
Note that in some discussions and documentation, the term authentication is used to refer to the federated sign-in process. However, the user does not authenticate to the RP during federated sign-in. The user authenticates to the IdP, which then provides a claim to the RP asserting the user’s identity. The user does not prove their identity to the RP.
External references: OIDC terminology, OIDC authentication, SAML glossary
Authorization
- Process used by a Relying Party to obtain access grants to information or capabilities for the user on an Identity Provider.
References: OAuth 2.0, SAML glossary
Browser-mediated
- The property of data flows between a Relying Party and an Identity Provider being forced through channels that are visible to and controllable by the user agent.
Ceremony
- A protocol that includes both network data flows and user interaction for the purpose of achieving authentication, authorization or sign-in.
References: WebAuthn glossary
Consent
- A part of a ceremony that comprises a user interaction with a clear user agent-controlled UI element that can be taken to mean the user accepts privacy risk that has been explained in accompanying text, and the ceremony may proceed accordingly.
Claim
- A piece of information asserted by an Identity Provider about a user.
References: OIDC terminology
Consumer (context)
- Category of use cases that apply generally to publicly-accessible Relying Parties and Identity Providers.
Directed basic profile
- A set of claims that is a restricted subset of OpenID standard claims that satisifes the restriction to be a directed identifier.
This term is novel in WebID and its details could be subject to change.
Directed identifier
- A claim granted to a Relying Party by an Identity Provider that constitutes an identifier for the user but cannot be correlated with other identifiers granted to different Relying Parties.
Enterprise (context)
- Category of use cases that apply to private restricted-access Relying Parties and Identity Providers, in particular where organizations can have provisioning capabilities over user agents. This typically encompasses use cases of corporations, institutions, or government agencies.
Federated sign-in
- Process used by a Relying Party to obtain a user identifier from an Identity Provider to which the user has authenticated.
References: OIDC
Identifier
- A claim or set of claims that comprises a unique mapping to a user within a given scope, such as for a particular Relying Party.
References: SAML glossary
Identity Provider (IDP)
- A service that has information about the user and can grant that information to Relying Parties.
References: OIDC terminology
Identity Provider backwards compatibility
- The property of a federated sign-in and authorization design that would allow deployment by Identity Providers who use existing standardized federation flows without them having to modify their services.
Identity Provider blindness
- The property of the Identity Provider not being aware of the specific Relying Party through all or part of a ceremony.
IDP tracking
- A privacy threat in which an Identity Provider is able to surveil or correlate user activity across the web.
References: WebID Threat Model
Relying Party (RP)
- A service that requests user information from an Identity Provider for user account sign-in or for other purposes.
References: OIDC terminology, SAML glossary
Relying Party backwards compatibility
- The property of a federated sign-in and authorization design that would allow deployment by Relying Parties who use existing standardized federation flows without them having to modify their web properties or account systems. This particularly applies to RPs that import scripts from Identity Providers to implement federation.
Relying Party blindness
- The property of the Relying Party not having access to a correlatable identifier (i.e. an identifier that is not a directed identifier) in a federated sign-in ceremony.
RP tracking
- A privacy threat in which a Relying Party is able to surveil or correlate user activity across the web.
References: WebID Threat Model
Standard claims
- A predefined set of claims that are included in a standard OIDC request for the purpose of user identification.
This term is defined as a part of the OpenID Connect specification. The use of this term in WebID refers to the OIDC definition.
References: OIDC
Verifiably directed identifier
- A directed identifier that has the property that the user agent is able to validate that it is directed.
User agent
- Client software such as a web browser that renders web content and can implement WebID.
- Purpose
- Definitions
- Authentication
- Authorization
- Browser-mediated
- Ceremony
- Consent
- Claim
- Consumer (context)
- Directed basic profile
- Directed identifier
- Enterprise (context)
- Federated sign-in
- Identifier
- Identity Provider (IDP)
- Identity Provider backwards compatibility
- Identity Provider blindness
- IDP tracking
- Relying Party (RP)
- Relying Party backwards compatibility
- Relying Party blindness
- RP tracking
- Standard claims
- Verifiably directed identifier
- User agent