Skip to content

Separate authentication and entitlements, add federated DRM#66

Draft
jdevalk wants to merge 4 commits intomainfrom
feature/separate-auth-entitlements
Draft

Separate authentication and entitlements, add federated DRM#66
jdevalk wants to merge 4 commits intomainfrom
feature/separate-auth-entitlements

Conversation

@jdevalk
Copy link
Member

@jdevalk jdevalk commented Mar 21, 2026
edited
Loading

Summary

  • Separates auth (repository authentication) from entitlements (vendor-controlled access policy), resolving the conflation of authentication, authorization, and DRM in the existing auth property.
  • Adds FairEntitlementService as a new DID Document service type, giving vendors a trust anchor for entitlement verification that survives repository changes.
  • Defines an entitlement verification protocol with JWT-based entitlement proofs that can be validated by repositories, aggregators, and caches.
  • Writes the ext-auth.md extension defining bearer, basic, and oauth2 authentication methods (previously empty).
  • Adds entitlement types to the registry: subscription, purchase, license-key, free-registration.
  • Increases the description character limit from 140 to 250 characters (spec and JSON schema).

How it works

  1. Vendor registers a FairEntitlementService in their DID Document (trust anchor)
  2. Package metadata specifies entitlements with type, service URL, and user-facing hints
  3. Client validates the service URL matches the DID Document
  4. Client verifies the user's entitlement via POST to the vendor's service
  5. Vendor returns a signed JWT proof; client presents it to the repository as a bearer token
  6. Repository validates the JWT and serves the artifact

This means vendors control access regardless of which repository serves their package, and users keep their entitlements when packages move between repositories.

Files changed

  • specification.md — Core spec changes (auth narrowing, entitlements, DID service, verification protocol, flow diagrams, description limit)
  • schemas/metadata.schema.json — Updated description maxLength from 140 to 250
  • ext-auth.md — Authentication methods extension (bearer, basic, oauth2)
  • registry.md — Added entitlement types table
  • docs/implementing/restricted.md — Updated implementation guide
  • docs/restricted.md — Updated user-facing overview

Test plan

  • Review all cross-references between spec, extension, and registry for consistency
  • Walk through the installation flow for a free package (no entitlements) — should be unchanged
  • Walk through the installation flow for a restricted package with entitlements
  • Verify the DID Document example is valid
  • Verify backward compatibility: existing auth-only packages still work

🤖 Generated with Claude Code

@jdevalk @claude
Separate authentication and entitlements, add federated DRM
d456f05 
The existing `auth` property on Release Documents conflated authentication
(how to present credentials) with authorization (whether a user may access
a package). This change separates the two concerns and adds a federated
entitlement verification protocol:

- Narrow `auth` on releases to repository authentication only
- Add `entitlements` property to Metadata Documents for vendor-controlled
  access policy (subscription, purchase, license-key, free-registration)
- Add `FairEntitlementService` DID Document service type as trust anchor
- Define entitlement verification protocol with JWT-based proofs
- Write the ext-auth.md authentication methods extension (bearer, basic, oauth2)
- Add entitlement types to the registry
- Update implementation guide and docs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Joost de Valk <joost@altha.nl>
@jdevalk jdevalk force-pushed the feature/separate-auth-entitlements branch from 331484c to d456f05 Compare March 21, 2026 10:26
@jdevalk jdevalk marked this pull request as draft March 21, 2026 10:28
@toderash
Copy link
Member

toderash commented Mar 21, 2026

The approach works for me. Background for other reviewers: TYPO3 hackathon discussion of how deeply FAIR should get into this - the concept has always existed, with placeholders in the spec. The approach needs to remain agnostic about the authentication method or platform, not requiring a specific type - e.g., maybe it's not based on a license key; actual implementation should also support an expiry date or next-reauth check so it doesn't have to be done on. every. single. page. load.

jdevalk and others added 3 commits March 21, 2026 13:10
@jdevalk @claude
Fix test data to conform to JSON schema
a19a389 
- Change `provides` from empty array `[]` to empty object `{}` in both
  test data files (spec requires provides to be a map/object)
- Add a security contact to did_plc_m5tfrwxd3btacxlstcvop2ib.json
  (spec requires at least one security contact)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Joost de Valk <joost@altha.nl>
@jdevalk @claude
Increase description character limit from 140 to 250
049943d 
140 characters is too short for a meaningful package description.
250 characters allows 1-2 sentences while still keeping it concise.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Joost de Valk <joost@altha.nl>
@jdevalk
Merge remote-tracking branch 'origin/fix/test-data-schema-conformance…
b1becdb 
…' into feature/separate-auth-entitlements
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jdevalk @toderash