Open michielbdejong opened 4 years ago
Not breaking the client-server interaction per se, but breaking for how users expect app permissions to work:
acl:trustedApp
mechanism was removedThis means a user should (find a way to) use acl:origin
in ACL docs instead of acl:trustedApp
in profile docs.
Something like https://github.com/inrupt/launcher-exploration / https://launcher-exploration.inrupt.app/ could probably make this pretty seamless, though.
There is no Dec-2019 document, because we were told it is more important to reach rough consensus on as much as possible than produce a document. The only thing that has been decided to the process so far is to remove globbing. Remove SPARQL-on-GET happened before, but I guess it is in a similar situation. #77 still has the "Under discussion" status, as no rough consensus text has been proposed, and it is up to the panel to propose it.
Ooops, hit the wrong button. :-)
So from what I can see, those 5 are the main changes between the roughly-0.8 version we tagged in July, and the "December 2019" version we're tagging today.
At some level you could say https://github.com/solid/specification/issues/115 is a sixth one, although it will probably go down in history as a clarification and not a breaking change.
So for my own notes, I'll consider this right here as "current Solid", starting today. Just like until today I used https://github.com/inrupt/pod-server/issues/15 as "what I call current Solid".
Ah, and I think the TLS-bridge requirement from https://github.com/solid/webid-oidc-spec/pull/26#issuecomment-506347607 / https://github.com/solid/solid-spec/pull/171/files#diff-04c6e90faac2675aa89e2176d2eec7d8R126-R127 was also not copied over, right?
So to summarize ([-]
is feature no longer required, [+]
is feature newly required):
[-]
sparql on get[-]
globbing[-]
acl:trustedApp[-]
strong consistency[+]
not sending updates to clients that didn't prove acl:Read
access to the resource in question (which clients can do by sending the auth <bearer>
command, see below).[-]
webid-tls bridge (probably downgraded from a SHOULD to a MAY?)IIUC, for app developers (as a result), this means:
acl:trustedApp
(https://github.com/inrupt/launcher-exploration can help there)auth <bearer>
command when connecting to websockets-pubsub Issues I have with the changes
I haven't participated in the auth* work directly, but that seems to be about it.
I do note that the REST API documentation is very sparse, and that we know that NSS doesn't conform to LDP, and that /
semantics isn't well developed, and various other issues. It is our ambition to not break things in there, and we're working on verifying the current NSS behaviour, but there is a lot of grey area.
Don't want to remove use of TLS to log on until we have webathen log on . We should always have at least two systems.
I think we should always stay very clear which case of 'log on' we discuss
While for 1. we probably can leave it up to OP to use whatever it wants. For the rest we want to have one common mechanism evolving from WebID-OIDC in Authentication and Authorization Panels.
I think acl:trustedApp is useful. For things like the data browser.
This comes into play in case 4. from my previous point. IMO direction which gets strongest consensus would give this responsibility to OP, which would ensure respecting user's privacy while still giving user full control over how much of their access they want to delegate to each application. Mentioned one common mechanism which builds on OAuth2 seems capable of addressing those requirements gracefully. WebID-TLS doesn't seem to provide comparable capabilities and since spec can leave case 1. (log on to OP) open probably it wouldn't even need to mention WebID-TLS just as it doesn't need to list any other of all the possible ways for user to establish session with their OP.
I've just created PR attempting to clarify that WebID-TLS doesn't play any more a special role in solid ecosystem #140
Also heard a rumour that deletes may become recursive, see https://github.com/solid/specification/blob/editors-draft/main/introduction.bs#L23
I suggest to close this issue. Will label with "Waiting Commenter" for the time being prior to closing.
https://solidproject.org/TR/2021/protocol-20211217 (Version 0.9) is taken to be the first published version of the specification that went through some process/group/team deliberation. It does not have a change log because the diff is not straight forward to produce or necessarily observable. While documentation prior to v0.9 exists, they weren't "specifications" in the common sense. We had to draw the line somewhere.
That aside, if a change log along the lines of https://solidproject.org/ED/protocol#change-log can be produced for https://solidproject.org/TR/2021/protocol-2021121 , we can consider adding it.
Please document the changelog from the
roughly-0.8
version to theDec-2019
version. It may be useful to categorize the changes by if and how they require action from server- and/or client- implementers:roughly-0.8
server incompatible with aDec-2019
clientroughly-0.8
client incompatible with aDec-2019
server77 Restructure JWT in Authorization header Bearer token (the SolidAuthClient will look at the WWW-Authenticate header and be able to switch between both formats, but new servers will only be required to implement the new one). Note that this change will at first be documented in a PR and not in the master spec text, but @jaxoncreed will already add support for it to Solid-Auth-Client.
@csarven @kjetilk is this list correct?