Open elf-pavlik opened 9 years ago
I think this is putting the cart before the horse. When talking about permissions and auth, I think the framing is really important. To that end it needs to be said what is being authenticated. The problem we have had in the social web for 10 years, leading to non interop is that most people dont know.
It's much easier to talk about permissions and auth once that first thing is clearly established and marked. SoLiD have a whole (short) spec devoted to this.
@dissolve re: https://github.com/aaronpk/Micropub/issues/11#issuecomment-108516126
I can hide those features in the UI or I risk my client not working with any other endpoint.
In similar way, client application, interacting with resource server which uses ACL, can leverage hypermedia controls if present, to add/remove possible actions in UI. For example:
Will show you Create button if you loged in, or locked page will only show Edit button if you have admin privilege for that resource.
Similar if my API implements SuggestFriend Action, your UI can show you appropriate widget based on such hypermedia control, which may than use your contacts list for autocomplete. Otherwise you may need to use plain text message to send me a link to a friend you want to suggest me. In short, UI will depend on both set of permissions: Agent/User over resource & App to act on Agent/User behalf.
I "can't" (typo on my part) adjust UI features unless i know what scopes mean.
TL;DR
After discussing this topic further with @fkooman I see one very important distinction to keep in mind:
SoLiD, Micropub, remoteStorage
seeAlso: https://github.com/aaronpk/Micropub/issues/11
WebID-TLS (X.509 SAN) & JWT sub
Resource Server could possibly use JSON Web Token sub parameter in a similar way as WebID-TLS uses X.509 Subject Alternative name to identify the Agent/User trying to access resources. In both cases verification would fetch agents web profile. WebID-TLS would get public key from there, while IndieAuth would 'follow its nose' via _tokenendpoint link relation and verify token by using public key announced by this endpoint to verify JWT signature. http://jwt.io/ For IndieAuth supporting authentication with client certificates, please see: http://indiecert.net
@skddc @michielbdejong @silverbucket @melvincarvalho @aaronpk @dissolve @deiu @bblfish
TODO: compare with http://manu.sporny.org/2014/credential-based-login/ & http://manu.sporny.org/2014/identity-credentials/ & http://manu.sporny.org/2013/sm-vs-jose/