Skip to content

Commit e71d043

Browse files
acoburnuvdslTallTed
authored
Add editors draft for LWS Access Requests and Access Grants (#106)
* Add editors draft for LWS Access Requests and Access Grants * Remove REST binding reference * Add security consideration about spam and other unwanted content * Add affiliations * Adjust LWS-Core reference * Update lws10-access-requests/index.html Co-authored-by: Christoph Braun <braun@kit.edu> * Add missing w3cid property for editor * Add support for target object structures * Adjust authorization requirements/recommendations * Update lws10-access-requests/index.html Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com> * Separate data model and serialization * Remove normative authorization section * Remove data validation requirements * Support multi-valued access properties * Clarify conformsTo text and examples * Adjust discovery requirements * Remove non-normative implementation detail * Simplify profile and policy terms * Remove TypeIndex examples until we have more clarity on the type index feature * Adjust terminology to use storage controller * Move hasConstraint from access object into ODRL constraint structure * Integrate access requests into main specification document * Remove old sections * Add access request content * Update lws10-core/Privacy-Considerations.html Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com> * Fix duplicate definition for echidna check --------- Co-authored-by: Christoph Braun <braun@kit.edu> Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
1 parent bd74429 commit e71d043

5 files changed

Lines changed: 912 additions & 1 deletion

File tree

lws10-core/Discovery.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
<h3>Storage Description Resource</h3>
33

44
<p>
5-
A <dfn>storage description resource</dfn> provides information a client can use
5+
A <a>storage description resource</a> provides information a client can use
66
when interacting with a storage, including descriptions of capabilities and
77
service endpoints.
88
</p>

lws10-core/Privacy-Considerations.html

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,3 +20,24 @@
2020
to correlate requests. When using pseudonymous identifiers, the authorization server will need to be careful not to issue the same identifier more than once.
2121
</p>
2222

23+
<section id="privacy-access-requests" class="informative">
24+
<h4>Access Requests and Grants</h4>
25+
26+
<ul>
27+
<li>
28+
An <a>access request</a> or <a>access grant</a> can reveal sensitive information
29+
about the resources, agents, and purposes involved. Servers are encouraged to limit
30+
the visibility of these resources to authorized parties, such as the storage controller
31+
and the assignee identified in the document. For example, a storage controller might
32+
have the ability to read and delete all resources, while other agents would only have
33+
access to the resources for which they are the assignee.
34+
</li>
35+
<li>
36+
When an <a>access grant</a> includes a client constraint, it is advisable for a
37+
server to filter that grant from responses to requests made by other clients. For
38+
example, if an agent is granted access to a resource only when using a specific
39+
client, that grant would not be visible when the agent uses a different client.
40+
</li>
41+
</ul>
42+
</section>
43+

lws10-core/Security-Considerations.html

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,3 +31,28 @@ <h4>Token Security</h4>
3131
</ul>
3232
</section>
3333

34+
<section id="security-access-requests" class="informative">
35+
<h4>Access Requests and Grants</h4>
36+
37+
<ul>
38+
<li>
39+
Servers are strongly encouraged to apply authorization rules to both the
40+
<a>access request</a> and <a>access grant</a> endpoints. Write access to the
41+
<a>access grant</a> endpoint, in particular, should be restricted to authorized
42+
storage controllers and specific clients.
43+
</li>
44+
<li>
45+
When an agent creates an <a>access request</a>, the server is encouraged to verify
46+
that the <code>assignee</code> value in the request is associated with the
47+
authenticated identity of the requesting agent.
48+
</li>
49+
<li>
50+
Because the <a>access request</a> endpoint accepts content from external agents,
51+
servers are encouraged to implement measures to prevent abuse, such as rate limiting,
52+
payload size restrictions, or requiring authentication before accepting submissions.
53+
Without such protections, the endpoint may be vulnerable to spam, resource exhaustion,
54+
or other forms of unwanted content.
55+
</li>
56+
</ul>
57+
</section>
58+

lws10-core/index.html

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -273,6 +273,11 @@ <h2>Delete resource</h2>
273273
<div data-include="Operations/rest-table.md" data-include-format="markdown" data-include-replace="true"></div>
274274
</section>
275275

276+
<section id="access-requests-and-grants">
277+
<h2>Access Requests and Grants</h2>
278+
<div data-include="lws-access-requests.html" data-include-replace="true"></div>
279+
</section>
280+
276281
<section id="lws-media-type">
277282
<h2>LWS Media Type</h2>
278283
<div data-include="lws-media-type.md" data-include-format="markdown" data-include-replace="true"></div>

0 commit comments

Comments
 (0)