Agent-Specific Discovery

[woutermont]

No description provided.

[woutermont]

@tomhgmns

[justinwb]

@woutermont do you plan to adjust the relevant places in the interop spec as part of this proposal?

[woutermont]

@justinwb yes, working on it now; will hopefully finish tomorrow!

[woutermont]

Okay, so I've updated the proposal, taking more terminology from the main document, and then subtituted references to the proposal for some portions of the relevant sections in the main document. I tried to be conservative, so there is still quite a lot of text repeating what is already stated in the proposal.

In trying to align the two as good as possible, I wondered why we want to distinguish Social Agents from Applications at this level. Does the Authorization Agent need to know what type it is, given that they really contain the same info. Especially the double Registry->Registration predicate (hasApplicationRegistration/hasSocialAgentRegistration) is hard to incorporate. I feel that it only adds redundant data, since we get the same info from the resource it points to: the following paths hold the same information.

:registry interop:hasApplicationRegistration :registration .
:registry interop:hasRegistration / rdf:type interop:ApplicationRegistration .
:registry interop:hasRegistration / inter:registeredAgent / rdf:type interop:Application .

On another note: the resource hierachy included at the end of the section on Agent Registrations seems to give the wrong hint that it always has to be a filesystem-like structure. I think just including Turtle examples, or graphs like the ones in the Primer, are clearer.

[elf-pavlik]

I'm not sure about specifying registering agents (§5), if we want to do it it might be served better as a follow up step.

[elf-pavlik]

What is the reason for MAY on very generic rdfs:seeAlso? It could lead to a wikipedia page or anything that creator of the description finds relevant in any way.

[woutermont]

Was for compatibility with legacy clients / discovery paths.

ACTION (@woutermont):

• snippets of what legacy vs modern clients would have to implement
• look into different profiles
• put question of compatibility on next weeks agenda

[woutermont]

ACTION: remove rdfs:seeAlso

[justinwb]

Agree with the removal. Feels like very quickly an innocuous piece of code code be misconstrued as the trusted agent manager.

[elf-pavlik]

If we want to be that specific we should probably reference Solid OIDC.
The ID Token is only pushed as a claim and access token should be used in Authorization header.

[woutermont]

You're right! This should be an Access Token with the client_id set to the URI of the Agent.

[elf-pavlik]

Solid OIDC doesn't put any more specific requirement on the format of Access Tokens, they are left up to RS & AS.
I think we should use some abstract language and have non-normative reference to Solid-OIDC as a concrete example.

[elf-pavlik]

@csarven we think this should be discussed on Wednesday

[woutermont]

ACTION: remove token details, talk about "authorized request" and refer to (yet to be created) solid ecosystem options

[elf-pavlik]

This prevents Agent Manager using it as it's Identity Document which would include some public information.

[woutermont]

Not sure I understand. What would the Agent Manager use as who's Identity Document?

[elf-pavlik]

In sai-impl-service the AuthorizationAgent needs to get data from the solid storage. It has privileged access set to the end user (agent) and the authrization agent (client). In that case the Authorization Agent acts as Solid OIDC client and serves its identity document from the same IRI.

[woutermont]

Okay, but what is preventing that?

[woutermont]

ACTION: restore possibility of 200 response for public agents

[woutermont]

Ass requested by @elf-pavlik in yesterday's meeting, here's a quickly drafted snippet of how a client would discover its registration, with support for the "legacy" use of pim:preferencesFile, reading links out of the body rather than the headers, and supporting all reponse codes (303, 204 and 200). I've commented out (with //) those parts that would be superfluous when we would not provide this additional support (only read a single relation, only out of headers, and with only 204 responses) ... it's not much difference i.m.o.

The only thing I left out is the rdfs:seeOther link, because I must agree with @elf-pavlik that this would put too much burden on the client. So we only check for one or two predicates/links of which we specify that they should be unique.

/* RDF Parser */
// import { Parser } from 'n3';
// const parser = new Parser();

/* Shorthands */
const hasAM = 'http://www.w3.org/ns/solid/interop#hasAgentManager';
const regAgent = 'http://www.w3.org/ns/solid/interop#registeredAgent';
// const prefFile = 'https://www.w3.org/ns/pim/space#preferencesFile';

/* Helper functions */
// const const rdfLinks = (rdf) => Object.fromEntries(parser.parse(rdf)
//   .map((quad) => [quad.predicate.value, { target: quad.object.value, context: quad.subject.value }]))
const headerLinks = (response) => Object.fromEntries(
  response.headers?.get('link')?.split(',')?.map((link) => link.trim().split('; ')).map((params) => [
    params.find((param) => param.startsWith('rel=')).replaceAll(/(^rel="|"$)/g,''), ({
      target: params[0].replaceAll(/(^<|>$)/g,''),
      context: params.find((param) => param.startsWith('anchor='))?.replaceAll(/(^anchor="|"$)/g,'') ?? response.url
    })
  ])
)

const getRegistration = async (webid) {

  /* Get links from profile header and body */
  const profile = await fetch(webid);
  const hlinks = headerLinks(profile)
  let am = hlinks[hasAM];
  // let pf = hlinks[prefFile];
  // if (!am && !pf) {
  //   const rlinks = rdfLinks(await profile.text());
  //   am = rlinks[hasAM];
  //   pf = rlinks[prefFile];
  // }

  /* Abort if no indication of agent manager  */
  if (!am && !pf) return undefined; 

  /* Request agent registration */
  const token = getToken(profile);
  const target = am?.target ?? pm?.target
  const dpop = getDPoP('GET', target);
  const registration = await fetch(target, {
    redirect: manual,
    headers: {
      Authorization: `DPoP ${token}`,
      DPoP: dpop,
    },
  });

  /* Optimal case, we're done */
  // if (registration.status === 200) return parser.parse(await registration.text());

  /* Otherwise, follow registration link, then we're done */
  if (registration.status === 204 || registration.status === 303) { 
    const reg = headerLinks(registration)[regAgent].context;
    // const loc = registration.headers.get('location');
    const dpop = getDPoP('GET', reg ?? loc);
    const registration = await fetch(reg ?? loc, {
      headers: {
        Authorization: `DPoP ${token}`,
        DPoP: dpop,
      },
    });
    return parser.parse(await registration.text());
  }

  /* All other cases indicate some auth error
   * which SAI-aware clients could have foreseen. */
  throw new Error('Auth error');

}

PS: I wrote this code directly into this comment, so please treat it as pseudocode; no idea if it would work without some finetuning.

[TallTed]

Thinigs I fixed --

• i.e. and e.g. should be avoided per i18n
• Various language and punctuation errors

Things I haven't fixed --

• example URIs should use IANA reserved Special Use Domains, not (for instance) URIs in my.id which is currently reserved by Indonesia, the controller of the id TLD

[TallTed]

Suggested change

	achieved (e.g. automatically via an API, interactively via a user interface).
	achieved (such as automatically via an API, or interactively via a user interface).

[TallTed]

Suggested change

	Target=], e.g. as specified in an extension to this document.
	Target=], such as those specified in an extension to this document.

[TallTed]

Suggested change

	e.g. `https://my.id/doc#me`.
	for instance, `https://my.id/doc#me`.

[TallTed]

Suggested change

	Upon reception of a request to the [=Identity Document=], its host [SHOULD]
	Upon receipt of a request to the [=Identity Document=], its host [SHOULD]

[TallTed]

Suggested change

	A host of [=Identity Documents=] [MUST] implement any of the above in order to
	A host of [=Identity Documents=] [MUST] implement at least one of the above to

[TallTed]

Suggested change

	References to all these are linked throughout the text,
	References to all of these are linked throughout the text,

[TallTed]

Suggested change

	:: An actor, i.e. an [=Entity=] that acts, does stuff, or has the power to.
	:: An actor (that is, an [=Entity=]) that acts, does stuff, or has the power to do so.

[TallTed]

Suggested change

	It can do this on its own, or mediated by some other [=Agent=].
	It can do this on its own, or through mediation by some other [=Agent=].

[TallTed]

Suggested change

	by defining `interop:hasAuthorizationAgent` as subproperty of `interop:hasAccessManager`.
	by defining `interop:hasAuthorizationAgent` as a subproperty of `interop:hasAccessManager`.

[TallTed]

Suggested change

the [=Authorization Agent=] for a given [=Social Agent=] can be discovered

[justinwb]

Overall looks pretty good - a few comments / questions

[justinwb]

As far as I can tell this is the only place in this PR where the term "Resource Discovery Hub" is used, but it is never defined anywhere else. For the purposes of Abstract, a more straightforward explanation would be better.

[woutermont]

Correct, should be Agent Manager now.

[justinwb]

What is the purpose of this last statement?

without having to bother with all other, irrelevant resources?

[woutermont]

It stresses the efficiency gain of using an Agent Manager, instead of needing to traverse all Resources in order to find out which ones are accessible and relevant.

Do you think we should leave it out?

[justinwb]

A short example of where this would be the case might be useful here.

[justinwb]

This is a bit tough to process. Suggest re-wording for clarity.

[justinwb]

Agree with the removal. Feels like very quickly an innocuous piece of code code be misconstrued as the trusted agent manager.

[justinwb]

What is the rationale behind the MUST on JSON-LD serialization here?

[TallTed]

Suggested change

	— in a performant, secure, and privacy-minded manner,
	without having to bother with all other, irrelevant [=Resources=].
	— in a performant, secure, and privacy-minded manner.

[TallTed]

or possibly

Suggested change

	— in a performant, secure, and privacy-minded manner,
	without having to bother with all other, irrelevant [=Resources=].
	— in a performant, secure, and privacy-minded manner,
	without trying (and/or failing) to access all other, irrelevant [=Resources=].

[woutermont]

Closing this since I am no longer convinced that a separate discovery service is needed (cf. #315). An agent should at all times be able to request access to (types of) resources at an AS, and the combination of the AS's response and a token info endpoint should suffice to gain all necessary information. If not, a better approach than proposed in this PR would be to add a client/agent info endpoint that functions similarly to the OIDC user info endpoint.