Slide example - HackMD

# LWS Authorization issues * used in ACLs * Give principles access to resources slides: https://hackmd.io/@ericP/Hk1NDnic1g#/1 --- ## Tech examples **WAC:** Simple, interoperable, and RDF-native, but limited to static ACLs and coarse access distinctions. **ACP:** The most aligned with decentralized data governance — supports policy re-use, linked data, conditions, and delegation. **OAuth/OIDC:** Popular in mainstream web apps, but less compatible out-of-the-box with dWeb principles; still useful with careful decentralization (e.g., using DIDs or user-hosted IdPs). **SAML:** centralized enterprise architectures. --- ## Access Mechanism | | By Identity | By Capability | | ---- | ----------- | ------------- | | Examples | WAC, ACP | ZCap, Verifiable Credentials, ACP, WAC | | API Scope | Definition of authorization mechanism | Definition of access token data model | | Extensibility | Only in the context of WAC/ACP | Arbitrarily extensible | --- ### Pros and Cons | | By Identity | By Capability | | ---- | ----------- | ------------- | | Pros | Prior art in Solid, handles simple use cases | Flexible, smaller API surface, aligns with OAuth2 architecture, can evolve over time (e.g. GNAP, SAML, OAuth2) | | Cons | Must pick a "winner" and not be wrong, delegation support? | Separation of authorization and resource servers | --- ## Giant Table | Feature / Mechanism | **WAC (Web Access Control)** | **ACP (Access Control Policies)** | **OAuth 2.0** | **OIDC (OpenID Connect)** | **SAML** | | -------------------------------------- | ----------------------------- | -------------------------------------- | ------------------------------------- | ----------------------------------------------- | ---------------------------------- | | **Designed for Decentralization** | ✅ Yes | ✅ Yes | ⚠️ Possible (but requires adaptation) | ⚠️ Possible (with decentralized IdP) | ❌ No (centralized federation) | | **Resource-Level Access Control** | ✅ Native support | ✅ Native + conditional logic | ❌ No | ❌ No | ❌ No | | **Fine-Grained Policy Support** | ❌ Basic (RDF ACLs) | ✅ Advanced (policy graph, inheritance) | ⚠️ Limited (scope-based) | ⚠️ Limited (claims + scopes) | ❌ No (coarse-grained assertions) | | **Modular, Reusable Policies** | ❌ No | ✅ Yes | ⚠️ Partial | ⚠️ Partial | ❌ No | | **Interoperable RDF Representation** | ✅ Yes (RDF-based) | ✅ Yes (RDF-based, extensible) | ❌ No (JSON-centric) | ❌ No (JSON-centric) | ❌ No (XML-based) | | **Supports Linked Data Permissions** | ✅ Yes | ✅ Yes | ❌ No | ❌ No | ❌ No | | **Delegated Authorization** | ⚠️ Limited (WebID-based only) | ✅ Yes (policy includes delegation) | ✅ Yes (core feature) | ✅ Yes (via OAuth) | ❌ No | | **Dynamic Policy Evaluation** | ❌ No | ✅ Yes (queryable conditions) | ⚠️ Not native | ⚠️ Not native | ❌ No | | **Decentralized Identity Integration** | ✅ WebID | ✅ WebID / DID-friendly | ⚠️ With effort (via DID/OIDC bridges) | ✅ (if paired with DID or SSI IdPs) | ❌ Centralized IdPs only | | **Best Fit Use Cases** | Solid Pods, static ACLs | Solid Pods, flexible data governance | API access in decentralized apps | User-centric identity in dWeb | Enterprise SSO (not decentralized) | | **Maturity / Adoption in dWeb** | 🟡 Mature in Solid | 🟢 Emerging in Solid / dWeb research | 🟡 Adapted for some dWeb use | 🟡 Experimental with SSI/Verifiable Credentials | 🔴 Rarely used in dWeb context |