Comments (9)
currently, there is no requirement for servers to have any UI—and I am not sure their should be.
agreed. there is no requirement in this proposal for the server to have a UI of any sort, though i think it's likely a practical and usable server will have a web-based management UI to do "owner" stuff.
i reworded step 4 to hopefully make it clearer that a link to a management UI is optional in this protocol, since there might not be a web-based one (or a do-it-immediately one).
a basic server implementation could, in the management UI
a very basic server might send the owner email saying to go check the request queue and update configuration files and ACLs with their favorite text editor. :)
from authorization-panel.
a basic server implementation could, in the management UI
Just quickly stepping in for a remark here:
currently, there is no requirement for servers to have any UI—and I am not sure their should be.
We might rather want to see the management UI as an app, on top of an RDF API the server implements. That way, there can be different UIs for different cases and people.
Hence, the server vs app question might need an issue of its own.
from authorization-panel.
note that this method is independent of how identity works (doesn't need to be webid, doesn't need to be based on OIDC or WebID-TLS), how authorization works (doesn't need to be bearer tokens or cookies or WebID-TLS), how permissions work (doesn't need to be WAC), and how granting access works (maybe you can get access if you pay a dollar in the management UI).
from authorization-panel.
We discussed this in today's call, I love it! Especially how the app requests 1 resource first, and that serves as just an example of the scopes it's requesting access to, and it's then up to resource server + user to handle the generalization from that one URI to a group of URIs to grant access for, there is no need to describe scopes in any way.
from authorization-panel.
@michielbdejong a basic server implementation could, in the management UI, always present all available/defined scopes for the user/admin to select. more sophisticated management could guess what scopes were needed based on the original request.
from authorization-panel.
here is a concrete example interaction (note x-permission-*
is a placeholder for now pending a good name).
the client attempts an authenticated access to a resource:
→
GET /some/restricted/resource HTTP/2
Host: alice.example
Origin: https://other.example
Authorization: Bearer gZDES1DqHf1i3zydSqfnsgGhkMgc4gcbpnCHSCcQ
the server determines the client has insufficient privilege (for example, the app the user is using isn't allowed). the server supports requesting additional privilege and determines it is appropriate to allow the client to do so (for example, because the authenticated user is the owner). the response includes a Link
with rel="x-permission-request"
:
←
HTTP/2 403 Forbidden
Access-Control-Allow-Origin: https://other.example
Access-Control-Expose-Headers: Link
Content-type: text/html; charset=utf-8
Cache-control: no-cache, no-store
Date: Fri, 09 Aug 2019 05:09:18 GMT
Link: </auth/request-permission?r=8374B650-4974-4E14-A7DF-8729041A96D8>; rel="x-permission-request"; expires_in="600"
<html>Your app is not allowed... Yet.</html>
the client application determines to request additional privilege and POST
s to the x-permission-request
URI (without credentials):
→
POST /auth/request-permission?r=8374B650-4974-4E14-A7DF-8729041A96D8 HTTP/2
Host: alice.example
Origin: https://other.example
Content-type: application/x-www-form-urlencoded
the server accepts and queues the request for additional privilege. additionally, the server can provide a web-based interface for managing requests for additional privilege, and determines it's appropriate to give the client application a link to the interface (for example, because the authenticated user to which the x-permission-request
link was given is the owner):
←
HTTP/2 202 Accepted
Access-Control-Allow-Origin: https://other.example
Content-type: application/json; charset=utf-8
Cache-control: no-cache, no-store
Date: Fri, 09 Aug 2019 05:09:19 GMT
{
"x-permission-management-page": "https://alice.example/auth/permission-queue?r=07FE5FA4-A3F1-4F83-A6E4-41220A538BDB&redirect_uri={redirect_uri}"
}
the client application determines to present the web-based server management interface to the user. the client redirects the browser to https://alice.example/auth/permission-queue?r=07FE5FA4-A3F1-4F83-A6E4-41220A538BDB&redirect_uri=https://other.example/app/page.html%23state%3D3SNflxua6WiOgQmp1YSSg5dPNOpEG0nubd3p3NthHuJb
, which is the x-permission-management-page
URI with a redirect_uri
substituted in the template. the redirect_uri
here contains a state
parameter in the fragment identifier to allow the application to resume where it left off.
the user interacts with the management UI, perhaps granting necessary additional privilege. eventually the management activity concludes, and the management interface redirects back to the app:
←
HTTP/2 302 Found
Date: Fri, 09 Aug 2019 05:10:00 GMT
Location: https://other.example/app/page.html#state=3SNflxua6WiOgQmp1YSSg5dPNOpEG0nubd3p3NthHuJb
the client application can now resume. note that sufficient privilege to access desired resources might not have been granted during the management activity, so the entire process might play out again.
from authorization-panel.
I just had a thought. This flow works very well with discovery if there exists a generic API route to do discovery.
For example. You could have a route like /all?shape=https://linktoshape.com.
If you don't have access to all shapes of that type, you will receive the options outlined above.
from authorization-panel.
So in that sense there's a strong connection to / dependency on shape discovery (in the data interop panel).
from authorization-panel.
resolved by #18.
from authorization-panel.
Related Issues (20)
- Required Credentials Discovery HOT 6
- support Trig serialization of Access Control Resources
- define a 2nd relation for ACRs to go with "acl" HOT 1
- Ideas for access modes and corresponding operations in the Protocol HOT 53
- acp:CreatorAgent logic HOT 5
- place meeting minutes on "draft-minutes" branch HOT 3
- Process Point of Order in meeting 2021-09-29 HOT 15
- ACP Draft design flaw HOT 18
- Distinction between policies which can be enforced by technology and by law HOT 5
- Enforce a secure default for client restrictions HOT 5
- Consider ACP matcher for conditional by relationship
- Update authorization-ucr's editors HOT 5
- Specify that the modes available are calculated using the resolution algorithm.
- Remove acp:mode from Context properties HOT 2
- Cannot match a context that contains a client/issuer HOT 4
- ACP vocabulary base URI problems HOT 1
- Serve ACP vocabulary from its base URI
- Authorization focused meetings HOT 13
- Clarify and/or mitigate risks related to negation (acp:deny) HOT 2
- ACP acronym also used for: Authoritative Claims Provider (OIDC + VC)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authorization-panel.