search

w3c-ccg / zcap-spec

WORK ITEM: Authorization Capabilities (ZCAP) specification
https://w3c-ccg.github.io/zcap-spec/
Other
30 stars 10 forks source link

Possible to have a bearer token form of a zcap? #44

Open jandrieu opened 1 year ago

jandrieu commented 1 year ago

I notice that invocations MUST have a proof.

Does that mean it is out of spec to issue a capability that is a bearer token which can be used without signing?

dlongley commented 1 year ago

Currently there's no support for invocation without a proof to reduce optionality in the core primitives as much as possible. One could get similar behavior to bearer tokens with zcaps, however, by doing one of two things:

  1. Setting the controller property of a zcap to, e.g., a did:key DID, and passing along the private key material associated with that DID to whomever the zcap is given to.
  2. Passing along invocation proofs. Asking another party to create an invocation proof for a zcap and hand it to you -- that you can then submit at the invocation target within some time window. This is a pattern that is already used in some scenarios.

Are there use cases that you think should be supported by zcaps that need to do more / something other than this? If so, why are zcaps the right tool for those use cases / what advantages do they provide over other types of object capabilities?

jandrieu commented 1 year ago

It's mostly that we have a set of functionality that does not require signing every operation, but does require that the current individual proves they were granted access. We could just use a JWT signed by the server, but we are using capabilities for other authorizations, so we were exploring whether or not zcaps could be used for both. Seeing the MUST requirement for proofs, that suggests that they aren't a good fit.