2020-04-13 Authentication Panel

# 2020-04-13 Authentication Panel ## Present * Elf * Dmitri * Jackson ## Issues ### [Success Criteria](https://github.com/solid/authorization-and-access-control-panel#success-criteria) - Elf: Let's follow up on these clarifying use cases. One use case might be an app can request data based on a specific kind of shape. We don't have requirements coming from the enterprise. - ...: Do you think the "As a user... so that..." format is useful? - ...: I'll write up a link between the criteria and the use cases ### [Distinct aspects of Trusted App replacements #63](https://github.com/solid/authorization-and-access-control-panel/issues/63) - Elf: I created an issue more than a month ago. I'd like to get a bit more feedback on how to isolate and distinguish those parts. There are some commonalities and there's a complementary approach rather than mutually exclusive. The tags is one way of defining constraints. For example, having the capability credential and the authorization document is kind of a similar concept. There are quite a lot of similarities. - Jackson: I have impression that tags are quite popular. We need to coordinate it with interoperability panel. - ...: From conversations I have impressions that relying on DPoP and Verifiable Credentials seems pretty popular. I thnk we should go with existing standards rather than coming up with new standards. - Dmitri: DPoP is where the OAuth communty is moving, new WG in IETF uses DPoP as one of the core proof of possesion mechanisms. - Elf: we can cherry-pick from different proposals, they don't come as all or nothing. ### Update on Auth Upgrade Process - Dmitri: How is the server stuff going? - Jackson: I have written base of new server, Inrupt Pod Server is practically dead. We've build IPS in 3 months just to replace NSS. New prototype has dependency injection etc. Inrupt will offload this project to university of Ghent. New prototype is not in a public repository yet. For now we have NSS, I still maintain it. - ...: Last meeting we decided to open source solid-auth-fetcher so people can try it out. I will build matching support in current NSS. As we discuss what client needs to preset I will continue updating both libraries. - Dmitri: I see it as cricial ... - Elf: Also the interop meeting today is about footprints. We want to differentiate between the machine level updates and user level updates. - Dmitri: I will also update my fork of NSS - [life-server](https://github.com/interop-alliance/life-server) ### [Secuirty flaw in NSS](https://github.com/solid/node-solid-server/issues/1418) - Jackson: People already discussed it in the chat. We have nothing in the spec that restricts creating ACLs with slugs. LDP allows creating resources with PATCH to URL of empty resource, where we require controll access. On the other hand with POST you make request to the container and just include Slug header. In NSS client can create new ACL resources using POST with slug. Editos suggest that slug can't include *acl* - Elf: but *.acl* only comes as NSS convention, different implementations can store acls wherever they want - Dmitri: It seems implementation specific not something mandated by the spec. - Elf: For acl's you need to get the resource first and then get the link header - Dmitri: You can do a head to a non-existent resource to see what the acl should be. But we really need a way to atomically make a resource and an acl and the same time. You're right that the acl regex is just an implementation of NSS, but you can look at the link relation before the resource even exists. - Elf: The server can always detect the link relation between the resource and acl file. I think then it can perform a check if you actually have permission to do that. How does it differe between PUT and POST? - Dmitri: We have spec and implementation details. NSS has bug that you could create acl resurces using slug header. - From off record onversation: Spec will not mandate any convention for naming ACL resources. We will only require *Control* access for creating them. https://github.com/solid/specification/issues/42#issuecomment-611812135 ### Misc - Dmitri: https://myxr.social/ We work on open source Zoom replacement with VR. I plan to make auth based on solid.