2022-11-21 Solid Interoperability

# 2022-11-21 Solid Interoperability * Time: 15:00UTC * Link: https://meet.jit.si/solid-data-interoperability ## Present * elf Pavlik * Wouter Termont * Laurens Debackere * Justin Bingham ### Regrets * ## Agenda * New meetings schedule * Open PRs * Roadmap * Authorization flow * Get WAC on board * Separate into smaller specs * Cleanup smaller issues ## Minutes ### New meetings schedule eP: bi-weekly on Mondays at 15:00UTC ### Open PRs Overview: https://github.com/solid/data-interoperability-panel/pulls #### [#253 Add authz flow diagram for social agent sharing access](https://github.com/solid/data-interoperability-panel/pull/253) * eP: I'm concerned about creating access need in the app. Can we just pass IRI of the resource to AA? * WT: Would AA generate the access need? * eP: I think we don't need an access need here, it would be needed if Bob wants to request access from Alice. Here Alice initiates the flow. * WT: Let's say Alice wants to share a Project with Bob, specifically title and description and only one item. How you describe it to authorization agent. * eP: AA should be able to show tasks based on shape tree reference. * WT: The app would have better UI to select exactly what user wants to share. * eP: I agree we can have two options to pass just IRI or create an access need in the app. ACTION: Pavlik to merge and create follow up issue #### [Access Needs for Public Resources #254](https://github.com/solid/data-interoperability-panel/pull/254) * LD: I recall that idea of public access modes wasn't fitting that well. * ...: We were looking into fitting it into dedicated set of registries. ACTION: To rething it for next meeting. * WT: Whan talking with people working on type indexes. I was thinking about introducing a Public Agent and giving it all the data that would be public. Also dedicated registry would be an option. * LD: If you stumble across such pod you would need a way to discover those public resources. * WT: I mentioned that AA could sync the data granted to public agent with type indexes. * eP: Public Agent Registration would act like Public Type Index. * WT: Wouldn't it diverge from how other agent registrations work? * eP: I think it will work exactly the same Agent Registration -> Access Grant -> Data Grants * LD: I don't think we should aim to keep type indexes alive any longer than needed. * eP: I agree, we just need to provide all the equivalent functionality. ### Roadmap #### Authorization Flow * eP: I'm aware about two diverging implementations, due to spec currently not including details. * ...: I implemented flow using simple redirect to AA with `client_id` * ...: AFAIK Digita implemented flow following [OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126) - https://docs.use.id/docs/an-overview-of-the-useid-authorization-endpoints * WT: We don't follow PAR but have something very similar. Our clients create request in the AA endpoint, and once user approves in app or via email (given no AA at this moment). * eP: On use.id diagram you have separate client front-end and client back-end, is it just an implementation detail. * WT: WAC lacks client identification so we started by having all our clients having a backend, which does the calls to our API. ACTION: Pavlik to create issue proposing reconciliation of both approaches, possibly PAR based * WT: IMO simple redirect can be more intuitive * LD: In theory AA could have different methods supported. For example PAR endpoint, also extend it to what Inrupt is implementing with access requests and access grants. * eP: I think it's based on VC HTTP API * LD: I don't think there has been much movement from Inrput. Aaron was planning to write down a proposal. #### Invite Aaron to align specs * LD: Implementation only uses ACP rule just contains the type of the VC #### Get WAC on board * WT: Since WAC does not support discrimination based on the client, it's practically impossible to use SAI with it; or is that different in anyone's opinion? * ...: [WAC#81](https://github.com/solid/web-access-control-spec/issues/81) has been open for over a year, but it seems no one will move untill there is some implementation. * ...: I could try to open a PR to get it into CSS. * eP: ???