-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorporate profile requirements from solid-oidc for Social Agents and Applications. #210
Comments
It was determined in the Interop Panel on 10/26 that we should add |
Well, coincidentally, I had been talking with @acoburn about client identifiers and came up with this example to see if I'd understood him. He says this works for him. What does it need to work for interop?
|
Note that since this is on a Pod, I have included the oidcIssuer so an admin can use the issued WebID to login and manage the web app and profile. |
@justinwb for a little background on the format of Client Identifiers -- The Solid OIDC spec requires at least JSON-LD and using the And because these are JSON-LD documents, they can be easily extended with additional |
Is this close? [{
"@context": [
"https://www.w3.org/ns/solid/oidc-context.jsonld",
"https://www.w3.org/ns/solid/interop-context.jsonld",
],
"@id":"https://datakitchen.solidcommunity.net/profile/card#me",
"@type":[
"http://www.w3.org/ns/solid/interop#Application"
],
"https://www.w3.org/ns/solid/oidc#client_name":[{
"@value":"SolidOS Data Kitchen"
}],
"http://www.w3.org/ns/solid/interop#applicationDescription":[{
@value":"The SolidOS Databrowser as a native desktop app"
}],
"https://www.w3.org/ns/solid/oidc#logo_uri":{
"@id":"https://datakitchen.solidcommunity.net/favicon.ico"
},
"https://www.w3.org/ns/solid/oidc#redirect_uris":[{
"@id":"https://datakitchen.solidcommunity.net/"
}],
"http://www.w3.org/ns/solid/interop#applicationAuthor":[
{ "@value": "Tim Berners-Lee <timbl@mit.edu>"},
{"@value":"Jeff Zucker <dubzed@gmail.com>"}
],
"http://www.w3.org/ns/solid/interop#hasAccessNeedGroup":[...],
}] |
Try using a compact JSON-LD serialization. But generally that looks pretty good. The key thing will be to define the right context |
Are all those things required in a profile? Will the apps break down if a property is absent or includes a value that's not an expected type? Are all those statements with object as URI required? Need to be dereferenced for any functionality? If not, why even 'require' it in a profile? How does this look for a human- and machine-readable profile? Did anyone actually test/publish this? Are there not "application", "software", ... classes in the wild? (There are tons!) What was considered/reviewed? Links to threads/minutes... .. there is so much plumbing here that it genuinely scares me. At least 3 namespaces to describe some basic aspects of... an application profile? Those are all separate requirements from different specs. If and when something needs to conform with one, they can 'paygo' (pay as you go). They shouldn't all be packaged up and sold as a requirement to the publisher of the profile. |
schema.org should have those types already defined. |
Also, a client_id profile is really meant to be simple and light weight. I also have concerns about having that serve so many different purposes simultaneously |
@acoburn -
I think many devs will want to do what I have done with data kitchen - put the client identifier document on a Pod that will also serve as the location of the web app. This means the profile needs the other kinds of predicates needed to manage a Pod. Perhaps those should go in a seeAlso document? Also, in terms of developer buy-in "go put these needed security things online" is not the same as "go put details about your app online so that an automatic description of it can be generated. The first is a needed chore, the second is a welcome way to advertise. I also see app details such as name and description being important to user control. I'd like to know what the apps I've given consent to are, not just their URIs. |
No issues or objections with JSON-LD - any/all help is welcome and it looks like @jeff-zucker is already getting started (thanks jeff!). In the panel session earlier this week the action plan was also to work on JSON-LD and Turtle so I imagine other panel members will chip in too
What is required for Solid-OIDC to operate, and what is required for someone to willing to use an application based on the information provided, and know what access to grant it to their data, are not the same thing. The premise of this issue is to allow the client identifier to be dereferenced for both purposes.
The premise of this issue is to reconcile the differences, so it began with an acknowledgement that what we have is not yet streamlined, that there is some overlap that can be optimized, and some areas to iron out. Overlaps (at a glance):
Added from interop:
Given that we can optimize the overlap above, and in comparison with the requirements of solid-oidc, I don't believe the additional requirements from interop are surprising, scary, or unreasonable at all. Whether we can or should look at other vocabularies and/or properties is something we can and should certainly take up as part of the effort.
This is exactly right. |
I would consider including In the end, if someone really wants to conflate a Social Agent with an Application they can use the same WebID for both, I would just discourage that practice. |
I very much agree with this |
Me too, much cleaner. Silly of me to have done it the other way. So is anyone aware of the current state of the notion of "owner"? Is control transferred by adding rights in the pod root .acl or by a predicate and if by a predicate, where should it occur. |
Implementation depends on the server. NSS uses podRoot/.meta :
|
Seems sub-optimal, but okay, thanks for the info, I'll do that. |
So if I transfer ownership of the pod in the way Alain described, the only way I can edit the app's pod as me is to give something like SolidOS Web App trustedApp status which gets written into the app's profile document Thus subverting the goal of keeping the app profile clean. :-( |
The other option is to use NSS's implicit trust that profiles on it have it as IdP and just keep logging in as datakitchen but without an explicit oidc:issuer in the profile. |
When/if trustedApp in the profile goes away (yes,please), this will no longer be an issue. |
@jeff-zucker the NSS implementation gives to the webId in that triple Beware that .meta has a .meta.acl |
There may be a need for NSS migration to add solid:oidcissuer to be compatible with CSS. There use to be an issue with solid/test-suite |
Yes, I saw that. It's important because an owner may not want to disclose that they own the pod. |
Here's another question about the app profile. SocialAgent profiles are "a foaf:PersonalProfileDocument". Is an app profile also? |
WebID profiles incorporate the If you want to augment the type of an app profile, I would just use |
The specification should do a better job incorporating requirements of Social Agents and Applications as stipulated by Solid-OIDC:
The text was updated successfully, but these errors were encountered: