Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP 403 - does the user or the application lack required access mode? #34

Open
elf-pavlik opened this issue Sep 6, 2019 · 7 comments
Open

HTTP 403 - does the user or the application lack required access mode? #34

elf-pavlik opened this issue Sep 6, 2019 · 7 comments

Comments

@elf-pavlik
Copy link
Member

AFAIK currently client receiving HTTP 403 response doesn't have a way to tell the difference between the user missing required access mode or just the app missing required access mode. That difference usually will impact next steps in the interaction:

  • App needs to ask user for granting it missing access mode.

or

  • User needs to ask resource owner for granting her missing access mode.

In separate issue I will propose new role of user's proxy which among other issues may also help with addressing this one.
@elf-pavlik elf-pavlik mentioned this issue Sep 6, 2019
Closed
@kjetilk
Copy link
Member

kjetilk commented Oct 7, 2019

Actually, NSS5 will give "403 Origin Unauthorized" or "403 User Unauthorized" based on this, but indeed, this needs to be speced.

@RubenVerborgh
Copy link
Contributor

Note that status text has disappeared from HTTP/2, so we need a means of specifying this inside of the response body.

@kjetilk
Copy link
Member

kjetilk commented Oct 7, 2019

Right!

I could have sworn we had an issue open for structured error messages, but I can't find it now... Anyone remember?

@elf-pavlik
Copy link
Member Author

elf-pavlik commented Oct 7, 2019
edited
Loading

Actually, NSS5 will give "403 Origin Unauthorized"

I think way may need to think in more general way about apps/clients and don't assume anything about origin. Especially that only IdP/AS would do redirect in oauth flow so RS has no way to directly verify origin claimed by the app/client in HTTP header (even in browser app could use a proxy to change it solid/web-access-control-spec#34). I think we might need at lest two error codes

  • User Unauthorized
  • Client Unauthorized

Getting Client Unauthorized app could ask User for permission. This also hits #43 - app would need to know which AS has authority over that resource, resource associated or user associated. Also https://github.com/solid/specification/issues/80 may play role if user has multiple associated AS, but I think User can figure it out since it all stays on their side.

@kjetilk
Copy link
Member

kjetilk commented Oct 7, 2019

Yeah, I agree, origin based trust is unsustainable, I was just mentioning as an example of what we already have. :-)

@elf-pavlik
Copy link
Member Author

User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization: 3.3.6 Authorization Server Response to Client on Authorization Failure includes some examples where they use plain application/json for error messages. I think we could use something similar with application/ld+json and text/turtle.

@csarven
Copy link
Member

csarven commented Jul 9, 2021

solid/specification#28 goes in the direction of addressing the need generally for Solid, and not coupled with an authorization mechanism.

@csarven csarven changed the title HTTP 403 - does the user or the applcation lack requred access mode? HTTP 403 - does the user or the application lack required access mode? Jul 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kjetilk @csarven @RubenVerborgh @elf-pavlik