Other users authorizing apps

[jaxoncreed]

How do you limit the apps that others use to access your data? How does this affect user experience?

[zenomt]

i think the usual case will be "i care about what apps i use to access my stuff" and "i don't care what apps other people use to access my stuff". however, as the owner/controller of some resource, i should be able to express whatever limits i like on my resource, including what app someone else uses.

in my own implementation of WAC, i added being able to express "any origin":

?authorization  acl:origin  "*" .

and also any acl:origin claims in an authorization record only apply to the agent(s) authorized in that record. i'm not sure what NSS actually does, but the WAC spec implies that authorizing the origin is orthogonal to authorizing the agent. in other words, for this ACL:

_:1 a acl:Authorization;
    acl:mode acl:Read;
    acl:agent user1:me;
    acl:origin <https://app1.example>.

_:2 a acl:Authorization;
    acl:mode acl:Read;
    acl:agent user2:me;
    acl:origin <https://app2.example>.

my WAC implementation allows user1:me to read only with https://app1.example, but my reading of the WAC spec would also allow user1:me to read with https://app2.example.

[zenomt]

note too that restricting the app that someone else can use is only for that someone else's protection, since with all currently defined/discussed ways of determining the "app" (HTTP Origin header, an audience member of the id_token), the user (or their OpenID provider, which you must assume the user can control) can arrange to send whatever identifier they want.