How does authorization by origin work?
#183
Comments
|
My understanding is that CLI-based apps send a null origin. I am not aware of any way to get around that. The Solid specs have largely skirted the whole issue of CLI-based apps (if you looked back over the years you will me raising that as an issue repeatedly). This means that each server handles them differently. ESS assigns a WebID to each app so that can be used instead of origin. AFAIK, neither NSS nor CSS support authorization rules targeting CLI-based apps. |
|
If it is a long-running app, does this mean there is basically only one instance of the app? If so, you could create a WebID for the app, have it login and write your authorization rules for that user. |
|
Thanks @jeff-zucker for the more detailed explanation! For the time being, I can assume there is only one instance of the app. How do I deal with that WebID for it? Simply create a Solid pod and log in to that pod from the app (how? from browser?)? Or, is there a simpler way to just prove who I (the app) am? In the end, I just need to allow my app to identify itself in a way that any users' pods can set access control rules for it. |
Browsers send the origin of the page the app is launched from. So if you use an app at http://example.com/someApp.html, then http://example.com is the origin. This is regardless of the user and their login status.
Yes.
The readme for my Solid-Node-Client details what had been the ways to login from a CLI based app. It still works fine with NSS and CSS but may not work with ESS, you'd have to check the Inrupt docs. It can be automated.
Am I understanding correctly that your app would be operated from a server, not by a user? Or does the user operate your app as themself? If as themself, they can just make the resources private to them as a user and ignore the app permission. For CLI-based apps, app permission is not needed. If it is operating from a server but meant to operate on the resources of multiple pods, then I think the easiest is still going to be to create a user. So create a pod for AppX. Have your users create persmissions for AppX as a user, not as an app . Then have your app login as AppX when it runs. This way when it visits one of your user's pods, the pod will say _"the origin is null so I don't need to check app permissions and the user is AppX who is authorized here". |
|
#184 is another consequence of this lack of consistency about null origin in Solid - it focuses on the use case of a mobile app trying to login from a CLI and launch a browser session with it. The errors show up in the browser when using SolidOS, but It really doesn't have to do with SolidOS, rather with logging in from a CLI. |
|
The |
I'm trying to allow an application to authenticate/authorize(?) itself by using Origin. From SolidOS interface, I changed the sharing permission to a file by adding "A Web app (origin)".
For simplicity, let's assume I have the following:
http://localhost:9000https://my.domainhttp://my.other.domainHow do I make the query from my application?
In particular, my application is CLI-based -- in fact, it is a long-running service.
My attempts:
I did not find the relevant document on how the request should work. Therefore, I'm using the most naive method: add
Origin: xxx(wherexxxis one of the origins) to the HTTP request header. For example (using httpie):But this does not work. I encountered slightly different behaviours:
401 Unauthenticated401 UnauthorizedIf omitting the protocol (I assume this is incorrect by nature, as origin needs to have a protocol), I encounter:
NamedNode IRI "my.domain" must be absolute[PermissionBasedAuthorizer] {Primary} warn: Unauthenticated agent has no read permissionsin the consoleThe text was updated successfully, but these errors were encountered: