I’ve been trying to get more familiar with Solid – I’ve created two pods on two different platforms and done a developer tutorial etc.
One thing that struck me is that so far when I’ve given access to my data it’s been to access the entire pod. Am I missing something or should apps be able to have access to very specific data as opposed to all data? Is there a way to do this that I haven’t figured out yet?
Another small thing I noticed when I did the basic developer tutorial using the community server (a simple app to write + read your name) is that it doesn’t seem to handle encoding properly. I entered an emoji in my name and it was stored as a Japanese character. Is that a client-side issue where I should have used some specific method for special encoding?
Last paragraph is a bit off-topic so feel free to ignore but figured I’d add it while I was here
The permission system on a pod is based on resources and apps. An app is making authenticate requests on the web on your behalf. When you log in with an app, your own pod will ask you if it is okay that the app will make authenticated requests on your behalf (with your WebID). When you say ‘yes’, then the app can do everything you are allowed to do. On your own pod, this can mean a lot. On other pods is it dependent on what kind of authorizations are given to you.
If on my pod I give you only write permissions to one resource, then you can only update that resource with the app. On your own pod you can update any resource.
If I login with the app, then I can’t update any resource on your pod (you didn’t provide me these rights) But I can update any resource on my own pod.
I’ve heard there are discussion to restrict also what an app can do on your own pod. But, alas, I don’t have more insight here.
@hochstenbach Thanks for the reply first of all. I think I understand what you’re saying. For instance, if you log in with an app it would be for something like a pod management app, possibly?
But if i.e. Spotify would support Solid, I could give it permission to only read my public profile and give write permissions to my “listens”, for instance, much like you would give access to specific resources with OAuth? Did I get that right? Thanks again
Yes. If Spotify would be a central server that talks the Solid protocol it would browse the web as “Spotify WebID”. You can provide in your own pod only access to a limited number of resources to the Spotify WebID.
In a decentralized world, one would probably create a De-Spotify App which you use to manage your own music collection (Pod management) and browse the web with your own WebId. I can give your WebID on my pod access to my ‘listens’ collection and you can see it in the De-Spotify App.
In Solid, you can assign permission to any resource (e.g. a file). You don’t have to assign that to the whole Pod.
Depending on the mechanism this (De-)Spotify App uses, there are two main approaches you may use to specify its specific permission on the specific resources rather than your whole Pod:
- If the (De-)Spotify App uses its own WebID to authenticate itself, you can easilly assign permission on resources related to that WebID, much like the same as you specify that for a human agent / user (e.g. through the share/permission pane in SolidOS, or manually modifying the ACL).
- If the (De-)Spotify App doesn’t have its own WebID, as described by hochstenbach, it will use your own WebID to authenticate (after you log-in, of course). There is also the “by Origin” mechanism if you look at the sharing/permission pane in SolidOS, which you may specify on each resource. (But I never fully understand it… See my github issue and/or my other post.)