Standard Single Sign-on for all users across the network for user-level permissions

The context is that we want to expand the permissioning module to allow for user-to-user permission granting as well as user-to-platform permissions.

To achieve this we will need to be able to uniquely identify users by federating a single identity.

In a previous discussion we discussed the use of using SOLID-OIDC with a WebId to provide this identity, and this may still become an ambition long-term.

In the meantime, we would like to scope the possibility of federating identities using Keycloak. We will need to define a list of the OIDC providers which are used within the network.

This will also impact proxy registration (projets/projets-clients/open-food-network/ofn-rpp#7), because the identity created during registration will need to be a part of this federation. It's possible that we will use the proxy as an OIDC identity provider for users.

The following applications have been listed as relying parties

• OFN
• Shopify
• SiB proxy (DjangoLDP)

Once we have established a federated identity we will be able to identify users regardless of how they connect to the network, and we'll be able to use this identity in the provision of permissions.

Notes

One concern I had previously raised is that typically when users connect to a platform using multiple OIDC methods, they may accidentally create for themselves unique identities. We may need to devise a way to federate those different identities, without relying on something which can be spoofed - which could prove to be a difficult task.