# 2020-02-03 Authentication Panel ## Present * @jaxoncreed * @jamiefiedler * @elf-pavlik * @dmitrizagidulin * @bblfish ## Issues ### Access Control Discussion with Tim - Jackson: I had discussion with Tim about access control. Based on [proposal I gave to interop](https://github.com/solid/data-interoperability-panel/issues/34) panel, based on SPARQL queries. Later I tought we may need something turing complete. Tim pushed back on turing complete but stayed open to something flexible. He proposed rule engines. We don't plan it for 1.0 but for the future. - Henry: You may want to look at Skolem Machines https://skolemmachines.org/ in relation to turing complete languages versus logic. It shows that coherent logic (which say n3 is) can be thought of as a turing machine. - In my research on category theory on RDF, I've discovered one very good modelization called [bicategories of relations](https://arxiv.org/pdf/1706.00526.pdf). It's a bicategory rather than a normal category (which is just a graph with paths), because a bicategory also has relations betwen relations (arrows between arrows). In this case it those are equivalent to "rdf:subPropertyOf". It turns out that this looks like it fits very well with what rdf is doing. The article starts with Description Logics. It shows that RDF is a logic with just conjunction and True. If you add the dual which are disjunction and false, you get the full logic. The interal language of bicategories of relations is something called coherent logic which is as expressive as first order logic. With only the conjunction and true we get the fragement of first order logic that Pat Hayes claims RDF is. (see [links in issue 14 of web-cats](https://gitlab.com/web-cats/CG/issues/14)). Extensions of RDF such as OWL or N3 do give us first order logic. Coherent logic is a very simple logic. The founder of the proof assitant Coq in [Automating Coherent Logic](https://link.springer.com/chapter/10.1007/11591191_18) to help make proofs humanly readable (there are other articles following on that). There's this really interesting article called on the [skolem machines web site](https://skolemmachines.org/) which shows how one can think of coherent logic as a turing machine. So if the issue is turing machines or logic, it looks like one can do logic and turing machines. And another thing I discovered at some point the [Euler Sharp](http://eulersharp.sourceforge.net/) sharp reasoning engine for n3 (the other is TimBL's cwm) on which Ruben Verborgh worked, did have a coherent logic reasoner. See [thread on Semantic Web mailing list](http://eulersharp.sourceforge.net/) - So, you can do this with rules and you could build on the work of the description logic people. Categories Theory is a way of doing translations between diferent mathemantical areas. And this appleis to programming. So you can compare say functional and logic programming. Description logic also works. It just limits itself by trying to avoid types of things from being sayable. On the other hand if the client can pass a proof along with a verifivable calim (say to proove that someone is a friend of a friend) the Guard on the server would notneed to research the proof (searching say a huge space of friends to find the relation) - Elf: Could you post somewhere on github on how you would apply rules and specific use cases about authorization. I think it would be much more helpful to have some concrete examples on how this would work in with the requirements. - Henry: I have an example for friend of friend using OWL. the chapter 3.4 on security https://co-operating.systems/2019/04/01/PhD_second_year_report.pdf has a friend of a friend example. ### [Application Tagging](https://github.com/zenomt/webid-auth-nginx#application-tagging) ### Dmitri Discusses PR - https://github.com/solid/authentication-panel/pull/40 - Dmirtri: The general idea is we want to have a future-proof mechanism for people to specify the version of authentication that we're running. - Elf: In practice, the app probably wants to include the capabilities it has, so do we want to already hint here that we expect this capability based client authentication. We want to think of how we later say there's this capability approach. We want to include the link to the capabities client authentication. - Dmitri: this gives a general purpose mechanism of how to advertise. So, we could add it as another scope. - ...: The www authenticated header is underused in the wild. What we put in the scope field is very arbitrary, but we're definitely open to suggeestions - Elf: In that case we could consider it some kind of special take on openid connect. So, I think we should consider if it's not misleading, openid. - Dmitri: The client encountering this header is a signal to start the openid dance. That's the relationship of this header. - Jackson: How do I tell if something supports 0.8 or 1.0? - Dmitri: Switching between 0.8 and 1.0 is a swap between the bearer keyword. Different OIDC servers use this header differently so it's had to determine what those support. We can say that if there is no webid in the scope, then it's just vanilla openid - Dmitri: In OIDC server metadata we could advertise version. I don't think we have enough 0.8 installations for it to matter. - Elf: I still don't see what the relationship between the client and the resource server. - Dmitri: The relationship is the access token that you get after the openid connect flow. - Elf: So in the case where the OP is separate from the resource server, I would not use an opaque access token from the OP to access that storage. If I use some client to access that storage, what's the openid connect connection - Dmitri: I would argue that there is an openid connection - It initiates a client to begin an openid flow - The RS server is using openid key configurations (JWKS) for validation - Elf: I would write a separate proposal for JSON web key discovery that doesn't rely on openid. And it's less of a connection to the openid part - Dmitri: Michael may want to argue that the realm parameter should be required rather than optional. - Elf: Realm can be any string. #### Current WebID-OIDC v0.8 response example: ``` > GET /example/resource < HTTP/1.1 401 Unauthorized < WWW-Authenticate: Bearer realm=”https://example.com” scope=”openid webid” ‘realm’ param is optional ‘scope’ is currently used to differentiate the 401 response from “regular” OIDC (specifically, the webid part) ``` ### TODO: - Elf: currently we rely on a webid profile pointing to issuers. In many cases the person will get the webid with the op, for the power users I don't think it's bad to give the url of the keys. I think there's an advantage of instead of relying on the open identifier, you just point to the JWK. It seems unneccissary to rely on all this discovery. So, I'll make a proposal for that. - Jackson: OWL proposal for access control