WebID-OIDC implementation excludes use of WebID authenticated using WebID-TLS

[kidehen]

WebID is based on the notion that a WebID is a HTTP URI that identifies an Agent.
WebID-TLS is an authentication protocol that authenticates a WebID based an TLS-handshake enhancement that looks up profile claims in a WebID-Profile doc discovered via the WebID placed in the SAN of an X.509 Cert used in a successful TLS-handshake.

All of the above holds true when I use a SoLiD POD deployed using a solid-sever instance that supports the WebID-TLS protocol.

The above doesn't happen if I use a SoLiD POD deployed using a solid-server instance that supports the WebID-OIDC protocol. The following block code pretty much ensures the problem in question.

allowsSessionFor (userId, origin) {
   // Allow no user or an empty origin
   if (!userId || !origin) return true
   // Allow the server's main domain
   if (origin === this.serverUri) return true
   // Allow the user's subdomain
   const userIdHost = userId.replace(/([^:/])\/.*/, '$1')
   if (origin === userIdHost) return true
   // Disallow everything else
   return false
 }

Links
[1] https://solid.openlinksw.com:8443 -- WebID-TLS (with optional Delegation support) IdP
[2] https://kidehen3.solid.openlinksw.com:8443 -- WebID-TLS (plus optional Delegation support) POD
[3] https://solid.openlinksw.com:8444 -- WebID-OIDC IdP
[4] https://kidehen7.solid.openlinksw.com:8444 -- WebID-OIDC POD

[dmitrizagidulin]

I'm not sure I understand. That block of code has to do with Express session cookies, not TLS-related code.
What's the problem you want to address?

[RubenVerborgh]

Not sure I understand either, but the fact that WebID-TLS does not work when the server is in OIDC mode is addressed by #650 (although that is unrelated to the code snippet above).

[RubenVerborgh]

We've figured this out in solid/solid#138. In order to hand off TLS auth from one server to the next, both servers should be in OIDC mode. (TLS can still be used to log in.)