input from Michael

[zenomt]

typical use case: the Pod's owner cares about what apps can access various locations in their Pod as the owner, and doesn't care about apps used by visitors (especially because visitors can lie).

any indication by an IdP (example: OpenID Provider) or in the user's profile about trust or desired permission limits would be at the discretion of the Resource Server (RS) to honor anyway. an IdP doesn't have standing to govern permissions in an unassociated RS. an enumeration of trusted applications and permissions in the user's profile would need to be publicly accessible in order to be used at an unassociated RS (unacceptable for privacy and security), and the current acl:trustedApp scheme doesn't solve the "access for just my chats" use case.

i propose the following:

1. client attempts authenticated (webid + appid) access to a resource
2. 403 Forbidden response
   • if appropriate, include request-permission URI (new link rel= or new header)
   • "appropriate" depends on resource server policy
     • maybe only when webid is the owner
     • maybe for special webids
     • maybe for anybody
   • request-permission URI includes enough information to recover webid, appid, method, and relevant portion of original URI (examples: stateless signed direct encoding, opaque key to DB record)
   • request-permission URI SHOULD only be valid for a limited time
3. to request permission, POST to request-permission URI
   • auth probably not needed, but requires more thought
   • if auth is needed, URI SHOULD be in the same protection space as original URI if possible so auth credentials can be reused
4. response to request-permission can include a link to a management UI if available
   • depending on RS policy, who's requesting, etc.
5. if desired, app redirects user's trusted browser to management UI in Resource Server
   • not in a frame
   • include a redirect_uri&state back to app
6. user interacts with management UI in RS to process permission request(s)
   • requires first-party (example: cookie) login
   • SHOULD NOT "Access-Control-Allow-Credentials"
   • SHOULD use anti-XSRF
   • SHOULD use frame-busting
   • when done, can 302 redirect back to app

alternatively, user can log into RS UI in the future to review and approve pending permission requests.

• depending on RS policy, might be needed for third party (non-owner) requests

the notion of "permission" and the operation of the UI is entirely up to the RS. the functionality the user expects is that, if the necessary access is granted, the original request will not be 403 Forbidden if repeated.

for WAC, adding an app/origin analog of acl:agentGroup (such as acl:appGroup or acl:originGroup) may be helpful. the RS can have UI and/or APIs for managing internal app groups so they can be hidden from outside access (to preserve privacy).

app groups could allow the owner to define arbitrary roles/scopes for apps, such as "chat", "photos", "music", etc., as coarse or as fine as desired.

for app groups, the RS can use heuristics or configuration to determine what groups/roles/scopes might be needed to satisfy the original request and likely related requests. those could be highlighted among all possible scopes, or only those could be presented (using a new challenge if additional scopes are required later by that app).

[zenomt]

note that this method is independent of how identity works (doesn't need to be webid, doesn't need to be based on OIDC or WebID-TLS), how authorization works (doesn't need to be bearer tokens or cookies or WebID-TLS), how permissions work (doesn't need to be WAC), and how granting access works (maybe you can get access if you pay a dollar in the management UI).

[michielbdejong]

We discussed this in today's call, I love it! Especially how the app requests 1 resource first, and that serves as just an example of the scopes it's requesting access to, and it's then up to resource server + user to handle the generalization from that one URI to a group of URIs to grant access for, there is no need to describe scopes in any way.

[zenomt]

@michielbdejong a basic server implementation could, in the management UI, always present all available/defined scopes for the user/admin to select. more sophisticated management could guess what scopes were needed based on the original request.

[RubenVerborgh]

a basic server implementation could, in the management UI

Just quickly stepping in for a remark here:

currently, there is no requirement for servers to have any UI—and I am not sure their should be.

We might rather want to see the management UI as an app, on top of an RDF API the server implements. That way, there can be different UIs for different cases and people.

Hence, the server vs app question might need an issue of its own.

[zenomt]

@RubenVerborgh

currently, there is no requirement for servers to have any UI—and I am not sure their should be.

agreed. there is no requirement in this proposal for the server to have a UI of any sort, though i think it's likely a practical and usable server will have a web-based management UI to do "owner" stuff.

i reworded step 4 to hopefully make it clearer that a link to a management UI is optional in this protocol, since there might not be a web-based one (or a do-it-immediately one).

a basic server implementation could, in the management UI

a very basic server might send the owner email saying to go check the request queue and update configuration files and ACLs with their favorite text editor. :)

[zenomt]

here is a concrete example interaction (note x-permission-* is a placeholder for now pending a good name).

the client attempts an authenticated access to a resource:

→
GET /some/restricted/resource HTTP/2
Host: alice.example
Origin: https://other.example
Authorization: Bearer gZDES1DqHf1i3zydSqfnsgGhkMgc4gcbpnCHSCcQ

the server determines the client has insufficient privilege (for example, the app the user is using isn't allowed). the server supports requesting additional privilege and determines it is appropriate to allow the client to do so (for example, because the authenticated user is the owner). the response includes a Link with rel="x-permission-request":

←
HTTP/2 403 Forbidden
Access-Control-Allow-Origin: https://other.example
Access-Control-Expose-Headers: Link
Content-type: text/html; charset=utf-8
Cache-control: no-cache, no-store
Date: Fri, 09 Aug 2019 05:09:18 GMT
Link: </auth/request-permission?r=8374B650-4974-4E14-A7DF-8729041A96D8>; rel="x-permission-request"; expires_in="600"

<html>Your app is not allowed... Yet.</html>

the client application determines to request additional privilege and POSTs to the x-permission-request URI (without credentials):

→
POST /auth/request-permission?r=8374B650-4974-4E14-A7DF-8729041A96D8 HTTP/2
Host: alice.example
Origin: https://other.example
Content-type: application/x-www-form-urlencoded

the server accepts and queues the request for additional privilege. additionally, the server can provide a web-based interface for managing requests for additional privilege, and determines it's appropriate to give the client application a link to the interface (for example, because the authenticated user to which the x-permission-request link was given is the owner):

←
HTTP/2 202 Accepted
Access-Control-Allow-Origin: https://other.example
Content-type: application/json; charset=utf-8
Cache-control: no-cache, no-store
Date: Fri, 09 Aug 2019 05:09:19 GMT

{
    "x-permission-management-page": "https://alice.example/auth/permission-queue?r=07FE5FA4-A3F1-4F83-A6E4-41220A538BDB&redirect_uri={redirect_uri}"
}

the client application determines to present the web-based server management interface to the user. the client redirects the browser to https://alice.example/auth/permission-queue?r=07FE5FA4-A3F1-4F83-A6E4-41220A538BDB&redirect_uri=https://other.example/app/page.html%23state%3D3SNflxua6WiOgQmp1YSSg5dPNOpEG0nubd3p3NthHuJb, which is the x-permission-management-page URI with a redirect_uri substituted in the template. the redirect_uri here contains a state parameter in the fragment identifier to allow the application to resume where it left off.

the user interacts with the management UI, perhaps granting necessary additional privilege. eventually the management activity concludes, and the management interface redirects back to the app:

←
HTTP/2 302 Found
Date: Fri, 09 Aug 2019 05:10:00 GMT
Location: https://other.example/app/page.html#state=3SNflxua6WiOgQmp1YSSg5dPNOpEG0nubd3p3NthHuJb

the client application can now resume. note that sufficient privilege to access desired resources might not have been granted during the management activity, so the entire process might play out again.

[jaxoncreed]

I just had a thought. This flow works very well with discovery if there exists a generic API route to do discovery.

For example. You could have a route like /all?shape=https://linktoshape.com. If you don't have access to all shapes of that type, you will receive the options outlined above.

[RubenVerborgh]

So in that sense there's a strong connection to / dependency on shape discovery (in the data interop panel).

[zenomt]

resolved by #18.