Browser_based app access control

Hi everyone, I have some questions here, I am creating a react browser_based app with Solid, now I have a scenario here : User Alice want write something in User Bob’s pod, Bob only trust Alice by app1, I have tried use “acl:origin : app1” in Bob’s pod ACL file and it works fine. However there are the questions :
1 If Alice develop another app 2 and use the same origin(because the origin is in plaintext in browser_based app like “http://localhost:3000” ) with app1, can Alice do what she/he wants through the new app 2?
2 Is there any way to allow the browser_based app1 has its own webID then when the Alice want to manipulate Bob’s pod, app1 sent the request on behalf the app1 not Alice? (because my understanding is that no server browser_based app is like UI it can only on behalf of the User(Alice) ) If this way can work, how can browser hold two “Authentication” (one is Alice and one is the App1) at the same time?

Hi there,

I won’t answer both questions but it would appear you are asking about Web Access Control (ACL) constraints. The current Solid WAC model is restrictive as it doesn’t provide a lot of flexibility regarding access control. The newer (and soon standard) way to do this will be the Access Control Policy. This specification will allow you to check which client the request from where the request is sent. However, the check for which Client is not specified to my knowledge. Since applications that are NOT locally hosted will have a unique IRI, the answer to your first question is “yes, probably”, so this shouldn’t be a concern when it is deployed to production. One thing which the Solid-OIDC spec talks about is Client identifier documents, which can contain information about the client application which the user is using. This can be used to uniquely identify the client, however the specifics of how that is achieved, or the security with it, is beyond the scope of both specifications.

2 Likes

Thank you!! gaz009, I will take a look at the Access Control Policy, cause I looked many
post and the answer is that you can give a webID to your app’s server, and solid pod works like a Database server, then User can talk to app’s server, and app’s server talk to Pod server. So my concern is about if User talk to Pod server directly(we do not need to worry that app’s server offline), what happens. thanks a lot to your answer!

1 Like