Credential based access control (WAC + VC) #79
Comments
And maybe also include the subject's WebID in the VC? Otherwise it just says "someone is over 18", rather than "the current user is over 18". |
|
@jaxoncreed also has use case around Alcoholics Anonymous, where access would require membership Bearer Credential credential but no specific user identity. I think we should move this issue to https://github.com/solid/authorization-and-access-control-panel I'll take another look at UMA 2.0 Interactive Claims-Gathering. Granting access based around more general claims / credentials may also come in support of @zenomt's proposal to allow RS delegating that logic to associated AS. In UMA 2.0 also AS gathers claims not RS.
For that we could rely on 'sender constrained tokens' which don't require user's identity but only guarantee that client presenting the credential has right to do it. DPoP provides one mechanism for sender constraining credentials. VC spec mentions Token Binding
In specifications repo I see issue about capability urls solid/specification#143 |
|
@joepio Just wanted to ack this issue. Do you think the use cases along the lines of https://solid.github.io/authorization-panel/authorization-ucr/#uc-minimalcredentials and https://solid.github.io/authorization-panel/authorization-ucr/#capabilities-vc are in the spirit of what you'd like to make sure we address? If not, would you like to carve out the use case in the https://github.com/solid/authorization-panel repo? We can also update existing ones if it doesn't quite capture or unclear. |
|
Best continue discussion in ACL / Authorization-Panel tracker ( |
|
Not at all "replacing WAC". The activity in authorization-panel is orthogonal. So is VC and how that may be coupled with the other mechanisms in an authorization system/framework. See if the UC that I've linked to captures what you're interested in, if not let's have another UC. We can talk about spec-level solutions after the functional requirements. Okay to close. |
|
Yes! This issue describes both the use case and a partial proposed implementation. Use case definitionI think the UC is identical to https://solid.github.io/authorization-panel/authorization-ucr/#capabilities-vc so for that we're covered. Proposed solutionWill keep searching to see where we can discuss the partial solution proposal. To arbitrarily complete the proposed solution and give us a strawman, we could pick predicate strings as follows:
Open issues:
|
can we just handle it with data shapes? |
|
sounds good! what would that look like? |
|
If we want a specific issuer prefix cred: <https://www.w3.org/2018/credentials#>
prefix org: <http://www.w3.org/ns/org#>
<#RequiredCredentialShape> {
cred:issuer [<https://vc.acme.example/>] ;
cred:credentialSubject {
org:memberOf [<https://acme.example/>]
}
}@ericprud should probably double check me |
|
Ah, yes! Let's try to do it that way. |
|
Continuing conversation in authorization panel ^ |
Not entirely sure is this is the right place for this issue
Web access control allows for a decentralized authorization mechanism, where some data owner can specify which individuals or groups have (read / write) access to specific resources.
However, there exist many use cases where the data owner does not know the identity of the data user beforehand, but does know a set of credentials that should give access. For example, Facebook's "friends of friends" privacy setting gives access to people who have friends that are friends with you. Or how about an adult video supplier who requires an 18+ credential for viewers. Or a local platform for people who live in some neighborhood might require a location credential.
The W3C Verifiable Credentials spec describes how to store, serialize and validate these credentials. Considering the use cases described above, it might make sense to have a link between WAC and VC. For example, an
acl:Authorizationmight have aacl:requiredCredential, which links to someacl:CredentialRequirement, which consists of:Some questions:
The text was updated successfully, but these errors were encountered: