Alice - A user that wants to allow an app access to data in her pod.
alice.example - Alice’s Solid Pod Provider. She is using it both as her Identity Provider (IdP), and as her Resource Server (RS) because her data is stored in her pod. This is the typical case for most Solid users.
DecentPhotos - The decentralized app that Alice wants to use at decentphotos.example, making it the Relying Party (RP). Once authorized, it will act as an autonomous agent that connects to Alice's pod on its own at a regular interval or through an event-based trigger, and will organize her photos into different smart albums like - “photos taken in Italy”, or “photos of Bob".
This approach can be employed whether the application is one that Alice uses directly on the web through a browser (like a website she visits that lets her manage her photos), or one that runs autonomously (like a service she has authorized to connect to her pod every night and use smarts to organize her photos for her).
In this example, Alice is already logged into her identity provider (e.g. via solid-auth-client) and has her credentials readily available (i.e. in local storage). If she wasn’t, she would simply need to go through an extra challenge at Step #6, which would be specific to that identity provider and her preferences (i.e. username and password, two-factor, etc.)
- Alice hears about DecentPhotos and wants to give it access to her pod so it can organize her pictures for her.
- DecentPhotos is an autonomous agent that runs on its own (from some cloud provider). To do this, Alice needs to give DecentPhotos some authority to access the photos in her pod on her behalf.
- Alice goes to
www.decentphotos.example
to connect it to her pod. She enters her WebID so DecentPhotos can lookup who her IdP (Identity Provider) is, and clicks a 'Connect' button. decentphotos.example
(RP) reacts to the 'Connect' button being clicked by responding with a redirect. This redirect sends Alice's browser to the authorization endpoint atalice.example
because it is her IdP, including in the request a client_id of the DecentPhotos application/agent WebID (https://decentphotos.example/appid#this
).- Alice’s browser makes the request to the redirect URL (which is the authorization endpoint at IdP), identifying itself by the application WebID (client_id), and also passing along an optional scope and the redirect_uri, which is a callback to
decentphotos.example
, to be used after Alice has proved she has control ofalice.example
(RS) - Because Alice is already logged in at her IdP, she doesn’t need to enter her username and password again (she’s already got a token proving she is THE ALICE).
- The authorization endpoint at
alice.example
(IdP) asks Alice if she wants to authorize DecentPhotos (RP) to access her Pod at a given scope. She has the ability here to further narrow this to only a subset of her photo library if she likes. Upon her confirmation here, DecentPhotos will be added as a trusted application in her WebID Profile, identified by its application/agent WebID (https://decentphotos.example/appid#this
), and Alice's private photos folder athttps://alice.example/pics/private
will have its ACL updated to allow DecentPhotos (RP), identified byhttps://decentphotos.example/appid#this
, read/write access to that folder and its contents. - Alice submits this and is sent (redirected) to the redirect_uri / callback which was provided by DecentPhotos (RP) in Step #5, along with an authorization code. Alice's browser now makes a new GET request to
decentphotos.example
(RP), with that authorization code included. - DecentPhotos makes a request to the IdP’s token endpoint with the authorization code, and receives a token in the response (assuming it all checks out) like:
{ access_token: “98qwerkjhqwerjhkwq”, token_type: “Bearer” }.
- The response may also include additional details like scope / expiration time, or a refresh token if available. The refresh token would allow DecentPhotos to continue to renew the bearer token without Alice having to intervene until the expire time associated with the Refresh token is passed. A refresh token's expire time is typically set for weeks or months, as opposed to the expire time on a bearer which should be much shorter lived (typically minutes or hours).
- DecentPhotos (RP) stores this token and is able to use it for requests to
alice.example
(RS) - That night, while Alice is asleep, DecentPhotos (RP) is going to connect to
alice.example
(RS) and organize some photos - DecentPhotos (RP) sends a request to the
alice.example
(RS) forhttps://alice.example/pics/private
, including the bearer token alice.example
(RS) validates the bearer token againstalice.example
(IdP), and concludes it is valid. Since these are on the same server, this is fairly easy because the data is readily available. If they weren’t, this could be done through token introspection.alice.example
(RS) has confirmed that this is in fact THE DecentPhotos, and moves on to checking to see if DecentPhotos is authorized to accesshttps://alice.example/pics/private
based on the associated ACL.alice.example
(RS) matched the client_id in the token (https://decentphotos.example/appid#this
), with a rule in the ACL which permits that the agent athttps://decentphotos.example/appid#this
has read and write access tohttps://alice.example/pics/private
- The request is granted.