@Mitzi-Laszlo can you add this to https://github.com/solid/specification/milestone/1?
We also discussed this in the community call just now and there seemed to be unanimous consensus that this is something we want and need to be in scope.
basically it's https://forum.solidproject.org/t/read-only-or-sub-folder-oidc-scopes/767 and https://github.com/solid/authorization-and-access-control-panel - in a sentence, and at the minimal level:
If Alice gives Bob read-access to (a part of) her pod, then how can Bob give a document-viewer app "attenuated" access to only one resource on there, but not the others.
So the goal is a situation where Alice has control-access to her entire pod, Bob has read-access to some part of it, and the document-viewer app has read-access to only one single document, so a strict subset of the access that Bob himself has.
In theory this is already possible: Bob emails Alice the origin of the app and which doc it should be allowed to open, and Alice goes and edits the ACL with an acl:origin entry, then emails Bob back. But in practice we (obviously) want a better system for this.
It's up to the editors of the spec to assign issues to milestones. My concern with assigning it to https://github.com/solid/specification/milestone/1 is that there are too many dependencies that need to be worked out first. I don't see how we will get there on time.
Let's map out the dependencies and make explicit issues for them; that will bring clarity.
We'd need to spec several pre-requisites to make this happen. (And I'm happy to break these out into individual issues, where appropriate, if people agree on the general list.) Most, if not all, of this spec work will probably need to happen in the Authorization and Access Control Panel.
client_ids for some native apps, and redirect_uris for some in-browser apps, etc).acl:origin that's used for this purpose. Will that predicate be sufficient, or do we need more?.acl involved and insert the app's acl:origin (or whatever other predicate we end up using). This is a UX nightmare though, which is why a global white list of Trusted Apps has been developed. Can we develop other mechanisms, in addition to a global trusted list or individual .acl statements? Such as:.acls, or somewhere like an App Registry?Hopefully this can help shape the discussion of this spec feature request.
Just to be clear, though, that while I agree with @RubenVerborgh that we may not have time to address all dependencies 1-6, in time for the a 1.0 spec,
I personally think that it's crucial that we address items 1 through 3 for the 1.0 spec.
Great! I'll leave this task in your (plural) capable hands. :)
I agree that this issue wouldn't quite make it into milestone 1 (~FPWD). I've bumped it down for later. If all dependencies in the earlier milestones are addressed, we can do it - which may end up getting done for ~PR/REC or major release ("1.0") any way.
@dmitrizagidulin
I personally think that it's crucial that we address items 1 through 3 for the 1.0 spec.
If any issue pertaining to items 1-3 are not logged, can you mind adding them?
Also discussed this issue with @jaxoncreed just now. Our conclusion is that regardless of where the dialog GUI lives where Bob specifies his choice of attenuation, there are basically two places where the attenuation decision can go: on Bob's profile/pod, or inside the bearer token.
Another interesting question is: Does Bob trust Alice's storage server to properly apply Bob's attenuation decision? If not, then I think the only other option would be if Bob makes the app go through a proxy that he controls.
Some more discussion on this https://github.com/solid/authorization-and-access-control-panel/issues/43
So https://github.com/solid/authorization-and-access-control-panel/blob/master/privilege-request-protocol.md doesn't solve the Alice+Bob scenarios I described in this issue, because it just sort of assumes that Bob is somehow able to tell Alice's server what his attenuation decision is, and we don't currently have a way to do that, other than sending an email to Alice and she editing the ACL doc at the RDF level.
If not, then I think the only other option would be if Bob makes the app go through a proxy that he controls.
I've created issue for something like that a month ago: https://github.com/solid/authorization-and-access-control-panel/issues/35
Another interesting question is: Does Bob trust Alice's storage server to properly apply Bob's attenuation decision?
Why in that case Bob would trust Alice's storage server to even properly apply user related WAC rules?
Why in that case Bob would trust Alice's storage server to even properly apply user related WAC rules?
Good question, and I don't know the answer! :)
I did see that this is now planned for 19 June 2020. Later than I had hoped, but glad to see it's on your roadmap!
Another interesting question is: Does Bob trust Alice's storage server to properly apply Bob's attenuation decision?
I think that Bob trusting Alice's storage server to enforce the constraints he's applied on his token is fine.
... there are basically two places where the attenuation decision can go: on Bob's profile/pod, or inside the bearer token.
since the decision of whether to grant access to any request ultimately belongs to, and is enforced by, Alice's server, such an "attenuation decision" could also be stored in Alice's server.
I think that Bob trusting Alice's storage server to enforce the constraints he's applied on his token is fine.
expecting Alice's (or anyone else's) storage server to enforce Bob's constraint preferences is, in the best case, "overly optimistic". Bob can hope unassociated servers he accesses will honor his preferences, but he should only expect it from servers he controls or otherwise knowingly trusts to do so.
Most helpful comment
Just to be clear, though, that while I agree with @RubenVerborgh that we may not have time to address all dependencies 1-6, in time for the a 1.0 spec,
I personally think that it's crucial that we address items 1 through 3 for the 1.0 spec.