Session Topic: Webfinger
Convener: Evan Prodromou
Notes-taker(s): Markus Sabadello
Evan gave an overview of the Webfinger processs. The idea is that you discover information about an entity in a two-step process, which involves retrieving XRD documents from a well-known location. Problem: 2 round trips are required.
There's a philosophical difference between Webfinger and SWD. Webfinger: You retrieve a document. SWD: You ask for a specific thing.
The concern within the OpenID Connect community is that the discovery process must be simple enough.
Currently: 3rd IETF draft.
Likely scenario: Have both in the foreseeable future?
Webfinger has JSON now, but didnt have it when SWD was invented.
Latest Webfinger draft:
- XRD is moved to appendix, JSON is preferred
- It's possible to retrieve either host-meta.json or host-meta with "json" Accept header. --> confusing?
- JRD should be required, XRD optional
Both Webfinger and SWD are likely to co-exist for a while.
Which location out of a list should be picked? In the original XRDS format, there was "priority". Maybe in Webfinger just try the locations sequentially?
Doubts whether major players will support the latest Webfinger?
Major players currently don't support SWD, but will probably in the future.
Kynetx use-case: Need to discover someone's Personal Cloud, which involves an "event channel" GUID. A custom "rel" type is used in the JRD. The GUID is stored as the "href" field in the JRD. You can also have "properties" in an XRD/JRD, i.e. key/value pairs associated with the resource.
Advice: Vision of Webfinger is that you would have many more "rel"s for everything, e.g. blog updates, profile page, etc., rather than just the "event channel".
Reminder: Webfinger addresses are not necessarily e-mail addresses. The idea was to use identifiers that look familiar to users. Internally, they use the acct: URI scheme, but that's not exposed to the user.
Webfinger can not only be used with acct: URIs, but with any URI from which you can extract a domain name.
All information in Webfinger is public, which may be a good or bad thing. Is there a need for private discovery? Is there a need to authenticate a client before formulating the Webfinger response?
Another related effort: Dialback Access Authentication, to authenticate HTTP requests based on a Webfinger discovery system. Drawback: A roundtrip is required to verify the request.