Skip to content

Commit e460ad8

Browse files
Merge branch 'main' into terminology-representations
2 parents af100b4 + 5f03543 commit e460ad8

14 files changed

Lines changed: 2076 additions & 17 deletions
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
name: Echidna lws-authn-openid
2+
on:
3+
pull_request:
4+
paths:
5+
- "lws10-authn-openid/**"
6+
push:
7+
branches: [main]
8+
paths:
9+
- "lws10-authn-openid/**"
10+
jobs:
11+
main:
12+
name: Build, validate and publish
13+
runs-on: ubuntu-latest
14+
steps:
15+
- uses: actions/checkout@v3
16+
- uses: w3c/spec-prod@v2
17+
with:
18+
SOURCE: lws10-authn-openid/index.html
19+
TOOLCHAIN: respec
20+
W3C_ECHIDNA_TOKEN: ${{ secrets.ECHIDNA_AUTHN_OPENID }}
21+
W3C_WG_DECISION_URL: https://www.w3.org/2026/04/28-lws-minutes.html#0c16
22+
W3C_BUILD_OVERRIDE: |
23+
shortName: lws10-authn-openid
24+
specStatus: WD
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
name: Echidna lws-authn-saml
2+
on:
3+
pull_request:
4+
paths:
5+
- "lws10-authn-saml/**"
6+
push:
7+
branches: [main]
8+
paths:
9+
- "lws10-authn-saml/**"
10+
jobs:
11+
main:
12+
name: Build, validate and publish
13+
runs-on: ubuntu-latest
14+
steps:
15+
- uses: actions/checkout@v3
16+
- uses: w3c/spec-prod@v2
17+
with:
18+
SOURCE: lws10-authn-saml/index.html
19+
TOOLCHAIN: respec
20+
W3C_ECHIDNA_TOKEN: ${{ secrets.ECHIDNA_AUTHN_SAML }}
21+
W3C_WG_DECISION_URL: https://www.w3.org/2026/04/28-lws-minutes.html#0c16
22+
W3C_BUILD_OVERRIDE: |
23+
shortName: lws10-authn-saml
24+
specStatus: WD
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
name: Echidna lws-authn-ssi-cid
2+
on:
3+
pull_request:
4+
paths:
5+
- "lws10-authn-ssi-cid/**"
6+
push:
7+
branches: [main]
8+
paths:
9+
- "lws10-authn-ssi-cid/**"
10+
jobs:
11+
main:
12+
name: Build, validate and publish
13+
runs-on: ubuntu-latest
14+
steps:
15+
- uses: actions/checkout@v3
16+
- uses: w3c/spec-prod@v2
17+
with:
18+
SOURCE: lws10-authn-ssi-cid/index.html
19+
TOOLCHAIN: respec
20+
W3C_ECHIDNA_TOKEN: ${{ secrets.ECHIDNA_AUTHN_SSI_CID }}
21+
W3C_WG_DECISION_URL: https://www.w3.org/2026/04/28-lws-minutes.html#0c16
22+
W3C_BUILD_OVERRIDE: |
23+
shortName: lws10-authn-ssi-cid
24+
specStatus: WD
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
name: Echidna lws-authn-ssi-did-key
2+
on:
3+
pull_request:
4+
paths:
5+
- "lws10-authn-ssi-did-key/**"
6+
push:
7+
branches: [main]
8+
paths:
9+
- "lws10-authn-ssi-did-key/**"
10+
jobs:
11+
main:
12+
name: Build, validate and publish
13+
runs-on: ubuntu-latest
14+
steps:
15+
- uses: actions/checkout@v3
16+
- uses: w3c/spec-prod@v2
17+
with:
18+
SOURCE: lws10-authn-ssi-did-key/index.html
19+
TOOLCHAIN: respec
20+
W3C_ECHIDNA_TOKEN: ${{ secrets.ECHIDNA_AUTHN_SSI_DID_KEY }}
21+
W3C_WG_DECISION_URL: https://www.w3.org/2026/04/28-lws-minutes.html#0c16
22+
W3C_BUILD_OVERRIDE: |
23+
shortName: lws10-authn-ssi-did-key
24+
specStatus: WD

.github/workflows/echidna-core.yml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
name: Echidna lws-core
2+
on:
3+
pull_request:
4+
paths:
5+
- "lws10-core/**"
6+
push:
7+
branches: [main]
8+
paths:
9+
- "lws10-core/**"
10+
jobs:
11+
main:
12+
name: Build, validate and publish
13+
runs-on: ubuntu-latest
14+
steps:
15+
- uses: actions/checkout@v3
16+
- uses: w3c/spec-prod@v2
17+
with:
18+
SOURCE: lws10-core/index.html
19+
TOOLCHAIN: respec
20+
W3C_ECHIDNA_TOKEN: ${{ secrets.ECHIDNA_CORE }}
21+
W3C_WG_DECISION_URL: https://www.w3.org/2026/04/28-lws-minutes.html#0c16
22+
W3C_BUILD_OVERRIDE: |
23+
shortName: lws10-core
24+
specStatus: WD

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ To see the most recent HTML rendered version of the specification from this repo
1414
- [`authn-saml`](lws10-authn-saml/): SAML 2.0 Authentication Suite
1515
- [`authn-ssi-cid`](lws10-authn-ssi-cid): Self-signed Controlled Identifier Authentication Suite
1616
- [`authn-ssi-did-key`](lws10-authn-ssi-did-key): Self-signed `did:key` Authentication Suite
17+
- [`notifications`](lws10-notifications/): Notifications
1718

1819

1920
## Contribution Guidelines:

lws10-core/Discovery.html

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
<h3>Storage Description Resource</h3>
33

44
<p>
5-
A <dfn>storage description resource</dfn> provides information a client can use
5+
A <a>storage description resource</a> provides information a client can use
66
when interacting with a storage, including descriptions of capabilities and
77
service endpoints.
88
</p>
@@ -125,7 +125,8 @@ <h4>Storage Description Representation</h4>
125125
],
126126
"service": [{
127127
"type": "NotificationService",
128-
"serviceEndpoint": "https://storage.example/notification/api"
128+
"serviceEndpoint": "https://storage.example/notification/api",
129+
"subscriptionType": ["WebhookSubscription"]
129130
}, {
130131
"type": "TypeIndexService",
131132
"serviceEndpoint": "https://storage.example/types/api"

lws10-core/Privacy-Considerations.html

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,3 +20,24 @@
2020
to correlate requests. When using pseudonymous identifiers, the authorization server will need to be careful not to issue the same identifier more than once.
2121
</p>
2222

23+
<section id="privacy-access-requests" class="informative">
24+
<h4>Access Requests and Grants</h4>
25+
26+
<ul>
27+
<li>
28+
An <a>access request</a> or <a>access grant</a> can reveal sensitive information
29+
about the resources, agents, and purposes involved. Servers are encouraged to limit
30+
the visibility of these resources to authorized parties, such as the storage controller
31+
and the assignee identified in the document. For example, a storage controller might
32+
have the ability to read and delete all resources, while other agents would only have
33+
access to the resources for which they are the assignee.
34+
</li>
35+
<li>
36+
When an <a>access grant</a> includes a client constraint, it is advisable for a
37+
server to filter that grant from responses to requests made by other clients. For
38+
example, if an agent is granted access to a resource only when using a specific
39+
client, that grant would not be visible when the agent uses a different client.
40+
</li>
41+
</ul>
42+
</section>
43+

lws10-core/Security-Considerations.html

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,3 +31,28 @@ <h4>Token Security</h4>
3131
</ul>
3232
</section>
3333

34+
<section id="security-access-requests" class="informative">
35+
<h4>Access Requests and Grants</h4>
36+
37+
<ul>
38+
<li>
39+
Servers are strongly encouraged to apply authorization rules to both the
40+
<a>access request</a> and <a>access grant</a> endpoints. Write access to the
41+
<a>access grant</a> endpoint, in particular, should be restricted to authorized
42+
storage controllers and specific clients.
43+
</li>
44+
<li>
45+
When an agent creates an <a>access request</a>, the server is encouraged to verify
46+
that the <code>assignee</code> value in the request is associated with the
47+
authenticated identity of the requesting agent.
48+
</li>
49+
<li>
50+
Because the <a>access request</a> endpoint accepts content from external agents,
51+
servers are encouraged to implement measures to prevent abuse, such as rate limiting,
52+
payload size restrictions, or requiring authentication before accepting submissions.
53+
Without such protections, the endpoint may be vulnerable to spam, resource exhaustion,
54+
or other forms of unwanted content.
55+
</li>
56+
</ul>
57+
</section>
58+
Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,5 @@
1-
this left intentionally blank
1+
# Notifications
22

3+
The [LWS Notifications](../../lws10-notifications/index.html) specification extends the Linked Web Storage (LWS) protocol with a mechanism for clients to receive timely updates about changes to resources via Webhooks — server-to-server push notifications with HTTP Message Signatures.
4+
5+
The notification data model is based on Activity Streams and is discoverable via the storage description resource.

0 commit comments

Comments
 (0)