Review and restructure Access Grant Proposal#109
Conversation
jeswr
changed the title
There was a problem hiding this comment.
Pull request overview
Restructures the LWS Access Requests / Access Grants specification to align the access object with the ODRL Information Model (Policy + rule arrays), and adds supporting vocabulary + JSON-LD context/framing guidance.
Changes:
- Replaces the previous flat
accessobject with an ODRL Policy shape usingpermission/prohibition/obligationrules and updated examples. - Adds profile vocabulary definitions (actions/left operands/party classes) and introduces JSON-LD Context and JSON-LD Frame sections.
- Tightens/clarifies protocol and validation requirements (e.g., POST handling, status codes, notifications).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| requests with an error response. A successful POST operation MUST respond with a | ||
| <code>Location</code> header set to the URL of the new resource. | ||
| A POST request MUST include a <code>Content-Type</code> header with a value of | ||
| <code>application/ld+json</code>. |
There was a problem hiding this comment.
The protocol text requires Content-Type: application/ld+json on POST. Elsewhere in this repo, LWS defines application/lws+json as its registered media type and treats application/ld+json; profile="https://www.w3.org/ns/lws/v1" as equivalent. Consider allowing application/lws+json and/or requiring the JSON-LD profile parameter, to avoid making Access Requests/Grants incompatible with the LWS media type guidance.
| <code>application/ld+json</code>. | |
| <code>application/lws+json</code>, or <code>application/ld+json</code> with a | |
| <code>profile</code> parameter of <code>"https://www.w3.org/ns/lws/v1"</code>. |
| </li> | ||
| </ul> | ||
| <p> | ||
| This property is OPTIONAL, though servers MAY require it. |
There was a problem hiding this comment.
In the profile intro you say each rule carries its own action, target, assignee, and constraint properties, but later the rule target is described as OPTIONAL. Please reconcile these requirements (either make target required for this profile, or adjust the earlier description to reflect that target may be omitted).
| This property is OPTIONAL, though servers MAY require it. | |
| This property is REQUIRED for this profile. |
|
Thanks, @jeswr |
acoburn
left a comment
acoburn
left a comment
There was a problem hiding this comment.
All the vocabulary-related text should be moved into separate files (ideally separate PRs)
I like some of these changes, but as a package, this is too much (especially with a request to "merge immediately")
| xref: ["web-platform"], | ||
| group: "lws", | ||
| maxTocLevel: 2, | ||
| maxTocLevel: 4, |
There was a problem hiding this comment.
This was intentionally set at 2
| publisher: "W3C", | ||
| status: "ED", | ||
| }, | ||
| "JSON-LD11-FRAMING": { |
There was a problem hiding this comment.
Are you sure this isn't present in specref?
| publisher: "W3C", | ||
| status: "REC", | ||
| }, | ||
| "VCARD-RDF": { |
There was a problem hiding this comment.
Are you sure this isn't present in specref?
| referencing it with a <code>conformsTo</code> property in a Storage Description resource. | ||
| </li> | ||
| <li> | ||
| <dfn>Storage Manager</dfn> — an agent with administrative control over a |
There was a problem hiding this comment.
This term should be defined in the core spec, not here. Plus we need to align on this terminology in the first place.
| describes the requested or permitted operations. A profile that describes | ||
| <a>access requests</a> using ODRL | ||
| concepts is described in <a href="#odrl-access-policy-profile"></a>. | ||
| describes the requested or permitted operations. The <code>access</code> object is an |
There was a problem hiding this comment.
This is problematic. Forcing all access objects to be based on ODRL is too strict
| "target": ["https://storage.example/projects/"], | ||
| "hasPurpose": ["https://purpose.example/collaboration"], | ||
| "constraint": [ | ||
| "type": ["Request"], |
There was a problem hiding this comment.
Doing this moves the ODRL vocabulary into the global scope of the LWS context, which we definitely should avoid
| "target": ["https://storage.example/projects/"], | ||
| "hasPurpose": ["https://purpose.example/collaboration"], | ||
| "constraint": [ | ||
| "type": ["Offer"], |
There was a problem hiding this comment.
Similar to the Request type, doing this forces the ODRL namespace to be in global scope
| Defined by [[!ODRL-VOCAB]].</li> | ||
| <li><code>modify</code> — modify an existing resource (HTTP PUT, PATCH). | ||
| Defined by [[!ODRL-VOCAB]].</li> | ||
| <li><code>append</code> — add content to an existing resource without removing |
There was a problem hiding this comment.
I would avoid append here. ODRL has specifically deprecated that term
| <li><code>client</code> — the client identifier for an HTTP request. | ||
| Defined by this specification.</li> | ||
| <li><code>mediaType</code> — the media type of the target HTTP resource. | ||
| Reuses the <code>as:mediaType</code> term from |
There was a problem hiding this comment.
I was intentionally avoiding use of AS:mediaType. That decision should be made separate to this, as it affects the core spec
|
(Haven't been able to read the details of this PR due to https://pr-preview.s3.amazonaws.com/w3c/lws-protocol/pull/109.html not rendering. But here are some points by reading the textual summary.) I feel supporting a full ODRL policy as (any form of) recommendations (or any special roles) to access requests to LWS is not a good idea, at least until some additional break throughs of ODRL comes into reality (at least, the formal semantics and general reasoner; some additional things are needed as well), due to complication and poor user experience for the resource owner (and maybe app developers too). (My stance: I fully support allowing expressing complex policies in any custom forms, including ODRL, DToU, SAI, etc. I'm raising a concern of putting a complicated policy language as a recommendation at this moment without fully evaluating its effects.) Two main points:
Two more/smaller points:
|
|
For the record, former SolidLab has few (8) repos implementing around ODRL https://github.com/search?q=org%3ASolidLabResearch+odrl&type=repositories |
|
Question on 'Purpose': It is important to be able to keep a signed record of what was displayed to the user. How should system implementers deal with this? |
I feel it is expected a stable ontology/vocabulary is used for the purpose field. A well-behaved ontology will have versions embedded in its URL. (To be fair, this relies on trust of people managing the ontology. Though, things like hash and signatures can be used to assist determining who is not trustworthy. I feel this is less an issue in principle -- we all rely on some trusts anyway on the Internet -- DNS, SSL/TLS, platforms, etc.) The implementor (or some curators) can provide a list of known good ontologies, so the user-facing app can inform the user whether the referenced term is in a well-known ontology or not. |
@acoburn if you are approving of these changes, I suggest we merge them into your PR ASAP and continue discussion there -- rather than having two threads of discussion on Access Grants.
Summary
This branch restructures the LWS Access Requests and Access Grants specification to properly align with the ODRL Information Model. The flat
accessobject is replaced with a standards-compliant ODRL Policy structure usingpermission/prohibition/obligationrules, a formal profile vocabulary is defined, and JSON-LD context and framing are specified.Changes
ODRL Policy Structure (breaking change to data model)
accessobject is now a proper ODRL Policy containingpermission,prohibition, andobligationarrays. Each rule carries its ownaction,target,assignee, andconstraint— replacing the previous flat structure where these were top-level properties on the policy.odrl:Request; access grants useodrl:Offer. The previousODRLAccessPolicytype on the access object is replaced with these standard ODRL policy subclass types.profileproperty: Every access policy now includes a requiredprofileproperty (https://www.w3.org/ns/lws#ODRLAccessProfile) per the ODRL profile mechanism.actionis now a single string per rule instead of an array on the policy, allowing fine-grained constraint attachment per operation.targetis now a single URI per rule instead of an array on the policy.hasPurpose→purposeconstrainthasPurposetop-level property is removed. Purpose is now expressed as an ODRL constraint using the existingodrl:purposeleft operand — consistent with how other conditions (temporal, client, etc.) are expressed.New vocabulary terms
lws:appendaction: A new action defined asodrl:includedIn odrl:modify. Grantingmodifyimplicitly includesappend, butappendalone permits only insert-only PATCH operations.lws:createaction: Defined asodrl:includedIn odrl:use. Corresponds to HTTP POST on an LWS container.lws:resourceTypeleft operand: Renamed fromtypeto avoid collision withrdf:type/JSON-LD@type.lws:issuerleft operand: New constraint for restricting access based on the identity provider that authenticated the agent.rdfs:label,skos:definition,skos:notefor all profile-specific terms.New specification sections
type,profile, rule arrays).vcard:Group.Editorial / structural
Storage Managerto terminology with a formal definition.storage managerreferences to use the<a>storage manager</a>dfn link.JSON-LD11-FRAMINGandVCARD-RDFtolocalBiblio.maxTocLevelfrom 2 to 4 to expose the new subsection hierarchy.