input from Michael about authorization-panel HOT 9 CLOSED

@RubenVerborgh

currently, there is no requirement for servers to have any UI—and I am not sure their should be.

agreed. there is no requirement in this proposal for the server to have a UI of any sort, though i think it's likely a practical and usable server will have a web-based management UI to do "owner" stuff.

i reworded step 4 to hopefully make it clearer that a link to a management UI is optional in this protocol, since there might not be a web-based one (or a do-it-immediately one).

a basic server implementation could, in the management UI

a very basic server might send the owner email saying to go check the request queue and update configuration files and ACLs with their favorite text editor. :)

from authorization-panel.

a basic server implementation could, in the management UI

Just quickly stepping in for a remark here:

currently, there is no requirement for servers to have any UI—and I am not sure their should be.

We might rather want to see the management UI as an app, on top of an RDF API the server implements. That way, there can be different UIs for different cases and people.

Hence, the server vs app question might need an issue of its own.

from authorization-panel.

note that this method is independent of how identity works (doesn't need to be webid, doesn't need to be based on OIDC or WebID-TLS), how authorization works (doesn't need to be bearer tokens or cookies or WebID-TLS), how permissions work (doesn't need to be WAC), and how granting access works (maybe you can get access if you pay a dollar in the management UI).

from authorization-panel.

We discussed this in today's call, I love it! Especially how the app requests 1 resource first, and that serves as just an example of the scopes it's requesting access to, and it's then up to resource server + user to handle the generalization from that one URI to a group of URIs to grant access for, there is no need to describe scopes in any way.

from authorization-panel.

@michielbdejong a basic server implementation could, in the management UI, always present all available/defined scopes for the user/admin to select. more sophisticated management could guess what scopes were needed based on the original request.

from authorization-panel.

here is a concrete example interaction (note x-permission-* is a placeholder for now pending a good name).

the client attempts an authenticated access to a resource:

→
GET /some/restricted/resource HTTP/2
Host: alice.example
Origin: https://other.example
Authorization: Bearer gZDES1DqHf1i3zydSqfnsgGhkMgc4gcbpnCHSCcQ

the server determines the client has insufficient privilege (for example, the app the user is using isn't allowed). the server supports requesting additional privilege and determines it is appropriate to allow the client to do so (for example, because the authenticated user is the owner). the response includes a Link with rel="x-permission-request":

←
HTTP/2 403 Forbidden
Access-Control-Allow-Origin: https://other.example
Access-Control-Expose-Headers: Link
Content-type: text/html; charset=utf-8
Cache-control: no-cache, no-store
Date: Fri, 09 Aug 2019 05:09:18 GMT
Link: </auth/request-permission?r=8374B650-4974-4E14-A7DF-8729041A96D8>; rel="x-permission-request"; expires_in="600"

<html>Your app is not allowed... Yet.</html>

the client application determines to request additional privilege and POSTs to the x-permission-request URI (without credentials):

→
POST /auth/request-permission?r=8374B650-4974-4E14-A7DF-8729041A96D8 HTTP/2
Host: alice.example
Origin: https://other.example
Content-type: application/x-www-form-urlencoded

the server accepts and queues the request for additional privilege. additionally, the server can provide a web-based interface for managing requests for additional privilege, and determines it's appropriate to give the client application a link to the interface (for example, because the authenticated user to which the x-permission-request link was given is the owner):

←
HTTP/2 202 Accepted
Access-Control-Allow-Origin: https://other.example
Content-type: application/json; charset=utf-8
Cache-control: no-cache, no-store
Date: Fri, 09 Aug 2019 05:09:19 GMT

{
    "x-permission-management-page": "https://alice.example/auth/permission-queue?r=07FE5FA4-A3F1-4F83-A6E4-41220A538BDB&redirect_uri={redirect_uri}"
}

the client application determines to present the web-based server management interface to the user. the client redirects the browser to https://alice.example/auth/permission-queue?r=07FE5FA4-A3F1-4F83-A6E4-41220A538BDB&redirect_uri=https://other.example/app/page.html%23state%3D3SNflxua6WiOgQmp1YSSg5dPNOpEG0nubd3p3NthHuJb, which is the x-permission-management-page URI with a redirect_uri substituted in the template. the redirect_uri here contains a state parameter in the fragment identifier to allow the application to resume where it left off.

the user interacts with the management UI, perhaps granting necessary additional privilege. eventually the management activity concludes, and the management interface redirects back to the app:

←
HTTP/2 302 Found
Date: Fri, 09 Aug 2019 05:10:00 GMT
Location: https://other.example/app/page.html#state=3SNflxua6WiOgQmp1YSSg5dPNOpEG0nubd3p3NthHuJb

the client application can now resume. note that sufficient privilege to access desired resources might not have been granted during the management activity, so the entire process might play out again.

from authorization-panel.

I just had a thought. This flow works very well with discovery if there exists a generic API route to do discovery.

For example. You could have a route like /all?shape=https://linktoshape.com. If you don't have access to all shapes of that type, you will receive the options outlined above.

from authorization-panel.

So in that sense there's a strong connection to / dependency on shape discovery (in the data interop panel).

from authorization-panel.

resolved by #18.

from authorization-panel.