This is a Web App to control and manage access to your data following the Solid protocol. It assumes that access control is managed using Web Access Control. It is far from perfect, but it is a start towards an access control app that works on the Solid Pods we have today, without requiring sophisticated setup.
This work is based on
- Andreas Both, Thorsten Kastner, Dustin Yeboah, Christoph Braun, Daniel Schraudner, Sebastian Schmid, Tobias Käfer, Andreas Harth: AuthApp - Portable, Reusable Solid App for GDPR-Compliant Access Granting. ICWE 2024: 199-214 [Postprint]
but strips away dependencies on SAI's Data Registries and ShapeTrees that make the corresponding implementation, the MANDAT AuthApp, require corresponding setup. Today's default provisioned Solid Pods do not come with Data Registrations or ShapeTree definitions.
We thus provide this Solid Authorization App for enabling (and showcasing) the fundamental use cases around access authorization on current standard Solid Pods. For advanced use cases right now, we still recommend looking into the MANDAT AuthApp.
You need to log in:
The app checks if you are already set up to use it. It checks:
- whether you have an
ldp:inboxlinked in your WebID profile - whether that inbox (container) actually exists
- whether the desired containers to document authorization information in already exist in your Solid Pod
If anything is missing, you will be asked for consent to set things up for you.
If we created the inbox for you, then we will ask you to grant any agent acl:Append permissions (append only, reading is only allowed for you!). This already follows the regular authorization flow in this app, which we describe next.
The app greets you with your access request inbox where you can inspect, accept or decline access requests.
We assume that your WebID profile links to an ldp:inbox which we expect access requests to be posted to.
If you choose to grant access, the access request will disappear and a corresponding access receipt will be available in the Active Tab.
Here, you can see all the authorizations you have granted -- at least those which are associated to some access request :)
You are free to revoke granted access anytime.
When you revoke access, the access receipt is superseeded by another receipt which indicates that access has been revoked.
Such receipts are available in the History Tab.
Currently, we manage access receipts and corresponding authorization logs on your Pod in "hardwired" containers. This is not ideal but good enough of a start.
The MANDAT AuthApp chose to rely on data registries and data registrations according to SAI - but those are not available in regular Pods wihtout prior setup.
Similarly, type indicies are not always present.
In fact, even the ldp:inbox is not provided by default on CSS (for example).
This is why we do the light setup ceremony when you start using the app.
We -- as a community -- need to discuss and decide how to properly support finding where data lives or where data should be stored, i.e. reliable discovery.
To test this AuthzApp, you need to send an access request to your ldp:inbox.
To programmatically create an access request, e.g. from your own web application, see this little helper library.
The easiest way - without writing your own app - is to use this little Test App, conveniently deployed here. Just be careful when deleting things, there are no safeguards -- except the "are you sure" confirmation dialog.
How to create an access request:
- log in using your Solid WebID (or use a Solid Identity Provider button as a shortcut)
Then:
- type in the header bar the URI of the resource you want to draft an access request for. We recommend for a quick demo choosing a test resource in some container of your Pod -- this way you will be the one receiving the access request.
- click on the speed dial in the bottom center of your screen
- select the second button on the left handside, the one with the
ticketsymbol (right next to the delete button).
Then:
- the content text field will display a rough draft of a access request, requesting read access and optionally write access.
- (Note that the recipient of the access request is only a guess at this point - we are just getting started)
- the header bar will be updated with a guess of the corresponding user's inbox (note that this is just a guess!)
Then:
- if you are happy with the request (for a quick demo this should work out-of-the-box), select the speeddial button option which is the second on the right handside, the one displaying the
envelopesymbol. This will post the access request to the URI from the header bar, i.e., the inbox of the receipient.
Now, when you log into your deployment of the AuthzApp (the app in this repo), you should see the access request.
Use a somewhat recent node version, e.g. node v20.
# After cloning this repository: cd in there.
# install dependencies
npm install
# run developer mode
npm run dev
# go to http://localhost:5173If you are new to the Solid Project: Hi and welcome! 👋
In a nutshell, the Solid Protocol is a bundle of specifications that aims to decouple identity (the account you use to log in), application (the app you use), and data (the stuff that the app uses).
The idea is that you should be able to use the same (and mostly your) data with different applications and using an account of your choice!
That is, the Solid Project aims to break open data silos and to enable more control over where data is stored, how it is used and by whom.
A user's data is stored on their Personal Online Datastore (Pod). A Solid Pod is a Web server that adheres to the Solid Protocol.
The Solid Pod provides data under access control. The user is in control who to grant access.
More recently, the term Solid Pod is not an official term anymore. The protocol calls it Solid Storage now. It is a more technical name and gets rid of the focus on personal data. User's can have mulitple Pods or Storages make open a (personal) data space.
Have a look at the available Pod Providers, pick one, and try it.
Or, host one yourself, e.g. the Community Solid Server - but this may be a bit advanced. Important: You can host it yourself! 😄
The Solid Protocol is agnostic to the data that is stored or transmitted, it is even agonsitic to the database in which the data is actually stored. The Solid Protocol standardizes the data access interface, authorization, authentication and agent identification.
Therefore, any data is good to be handled using the Solid Protocol!
If you want to read up on how this works in B2B environments, check out our presentation video of the MANDAT project at Solid World. There is code, too; see our open source demo repository. And our demo video is available here.
And, have a look at our other publications from that project:
-
Andreas Both, Thorsten Kastner, Dustin Yeboah, Christoph Braun, Daniel Schraudner, Sebastian Schmid, Tobias Käfer, Andreas Harth: Foundational Components for B2B Data Sharing Using the Solid Protocol. Journal of Web Engineering, 24(04), 593–634. [Open Access]
-
Andreas Both, Thorsten Kastner, Dustin Yeboah, Christoph Braun, Daniel Schraudner, Sebastian Schmid, Tobias Käfer, Andreas Harth: AuthApp - Portable, Reusable Solid App for GDPR-Compliant Access Granting. ICWE 2024: 199-214 [Postprint]
-
Andreas Both, Dustin Yeboah, Thorsten Kastner, Daniel Schraudner, Sebastian Schmid, Christoph Braun, Andreas Harth, Tobias Käfer: Towards Solid-Based B2B Data Value Chains. ESWC Satellite Events (1) 2024: 138-142 [Open Access]
-
Thorsten Kastner, Christoph Braun, Andreas Both, Dustin Yeboah, Sebastian Josef Schmid, Daniel Schraudner, Tobias Käfer, Andreas Harth: Data-Sovereign Enterprise Collaboration using the Solid Protocol. SEMANTiCS (Posters, Demos, Workshops & Tutorials) 2024 [Open Access]