Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Person should have a way to define preffered app authorization manager (also an app) #29

Closed
elf-pavlik opened this issue Sep 3, 2019 · 6 comments
Closed

Person should have a way to define preffered app authorization manager (also an app) #29

elf-pavlik opened this issue Sep 3, 2019 · 6 comments

Comments

@elf-pavlik
Copy link
Member

elf-pavlik commented Sep 3, 2019
edited
Loading

Managing app authorizations in many cases will require UI, preferably person can specify preferred app authorization management application as application with special role to manage authorizations for other applications. Applications which want to request authorizations would need a way to discover it and probably redirect user to approve / disapprove / partially approve.

Use case: discussion boards

I think approach proposed in Privilege Request Protocol where each RS provides its own authorizations management UI leads to poor UX and may only stay required in some more restrictive deployments where RS admins needs higher level of control.
@jaxoncreed
Copy link
Contributor

Right, there is a question on where the actual authorization should take place. Though I think if it's on the Identity Provider, it's fine to have that UI bound to the Identity Provider. If a user doesn't like it they can swap IDPs.

@elf-pavlik
Copy link
Member Author

I don't see it necessary tied to OP / IDP in any way, possibly it should not involve OP / IDP at all. Person can store authorizations on RS of one's own choice, possibly something for Data Interop Panel.

@jaxoncreed
Copy link
Contributor

jaxoncreed commented Sep 3, 2019
edited
Loading

This stems off of the idea that the webID should be kept with the IDP as well and basically boils down to "Should your application preferences be bound to your identity or something else." Currently, it's very much bound to your identity as it's in the WebID (albeit implemented poorly). Not saying that giving the IDP responsibility for this is the right decision, but it's not a very large leap to take.

@elf-pavlik
Copy link
Member Author

elf-pavlik commented Sep 3, 2019
edited
Loading

I agree that discovery will need to start from WebID Profile, just like discovery of OP starts there and follows solid:oidcIssuer predicate. Nowhere we restrict where the WebID Profile stays hosted, if one doesn't want to edit it with solid app it doesn't even have to stay on solid RS.

solid-webid-idp-storage(1)

Similar to my comment on last authentication panel meeting, I think we should document roles and responsibilities just to make sure we all use the same terms in consistent way.

This was referenced Sep 5, 2019
Open
Closed
@bblfish bblfish mentioned this issue Oct 3, 2019
Open
@elf-pavlik
Copy link
Member Author

I looks like we will add relevant responsibilities to OP, User can choose their OP so in a way they also choose their app authorizations management service.

@elf-pavlik elf-pavlik reopened this Jan 13, 2021
@elf-pavlik
Copy link
Member Author

https://solid.github.io/data-interoperability-panel/specification/#authorization-agent

Authorization Agent is associated with the End-user similar to OpenID Provider. It handles authorizing clients (apps) and provides UI.

Early-stage open-source implementation:

@elf-pavlik elf-pavlik mentioned this issue Mar 23, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elf-pavlik @jaxoncreed