Authentication Delegation

Not all Web applications are readily WebID compatible (SSL configuration steps involved on a server which must support initiating SSL client cert authentication aren't always easy to perform). It can then be handy to support WebID authentication (for SSO purposes, for instance), by delegating to a third party service the task of authenticating a WebID.

This can be implemented with the WebIDDelegatedAuth lib (or parts of libAuthentication, for instance) which may be used in a web application (which isn't able itself to prompt user's browsers for their client certs, for instance) to delegate to a trusted (by the admin of that app) third party service, which will authenticate the users via their WebID's client SSL certs, and will in turn provide the requesting app with their identification in the form of tehir WebID URI. Later, the app may dereference that URL to fetch additional details about the identified user in their FOAF.

Services which can provide such authentication for relying applications include

• foafssl.org
• auth.my-profile.eu (implemented with WebIDAuth), etc
• ODS Delegated Authentication Service (you can also use WebID based ACLs to control access to this service) .