View apps that have access to a resource?

Hello! I’m trying to create basic solid app for a project - and wanted to try to view the apps that have access to the pod at a given time.

I understand the ACR (Manage Access to Data (ACP) — Inrupt JavaScript Client Libraries) defines how agents are able to access a specific resource. Is there a way yet to identify “apps” that have been given access by viewing the ACR? Would an app like MediaKraken create a matcher or policy for itself when it gets initial access?

I’ve largely been trying to implement the code here to try and understand what’s possible.
https://docs.inrupt.com/developer-tools/javascript/client-libraries/tutorial/manage-acp/

However, I’m not sure I understand how access information is typically stored for apps that are currently out there. I guess an extended question is whether there is a way to identify the agent that last made a change to a resource or container.

I’m quite new to Solid and web development in general and am still learning. I’d be happy to try and share more details as helpful. Thank you!

Hello, and welcome!

As far as ACP goes, I don’t believe it gives specific details of how a client is identified in a Context, and that is an open area of research. You can read more here, which shows the actual RDF structures which ACP uses for access resolution

1 Like

I’m not sure about ACP, but I suspect it works the same as WAC in this regard - " When the target of the HTTP request is the ACL resource, the operation can only be allowed with the acl:Control access mode." In other words, you can’t access the ACL for a resource unless you have control privileges over the resource. Even then you can only read the ACL resource if you also have read permissions on it.

1 Like

The ACR is created by your Solid server, not by MediaKraken. MediaKraken requests permission, and then the user grants (or denies) it permission on a separate page (usually a page managed by your Solid server). The ACR resource is located in your Pod – usually as resource.name.acr (where resource.name is the name to your actual resource that this ACR applies to), but not guaranteed (that’s why you should use the HTTP Link header to identify it.

In principle, as said in this other document, this “separate page” can be customized (i.e. using a separate App registered with your Solid server). But I do not yet know any examples of this.

The flow should be intuitive if you have used OIDC to authenticate a third-party App to access your data elsewhere, even as simple as just requesting your username and avatar (e.g. “Log-in with GitHub”).

Then, for your question on the title, you need an app with permission to access the ACR resource. I haven’t done this yet for ACP, but presume this would be similar to requesting any other permissions.
Previously, for WAC, this is determined by the Control permission.

But if your ultimate goal is just to figure out what apps have access, you don’t have to differentiate between ACP and WAC, and can use the universal API of @inrupt/solid-client, by checking, e.g., the Read permission.
Actually, I have an App that does (more than) this: GitHub - renyuneyun/PermiX: A permission explorer App for Solid. But it’s my first Vue project, and the code structure is not really good…

1 Like

Thanks so much for your thoughts, @gaz009 @jeffz and @renyuneyun.

I had to spend some amount of time trying to understand what I was doing wrong. Eventually, I have been able to set and read accesses at an “agent” level. Your inputs were invaluable.

I believe an extension to this (and what I was trying to achieve earlier but misphrased) - how do I view and add to the ‘trusted apps’ for an inrupt hosted solid pod? I am only able to find allusions to it in the Inrupt documentation, and wondered if anyone has any resources they can share?

I am, in essence, trying to recreate the permissions dashboard that Solid OS has but am not sure if it can even be done?

As far as I know, NSS is the only server that uses the trustedApp mechanism. I am not sure how ESS behaves now but previously there were a couple of apps (Penny among others) which were hard-coded as trusted site-wide the way trustedApps behave on NSS but other than those apps, other apps need per-container/resource permissions and there is no concept of site-wide permissions.

1 Like

Understood, thank you! I was worried that this might be the case.

In the trying the ‘per-container/resource’ approach as well, I’m having a hard time understanding how I can grant these permissions for an “app” rather than an “agent”.

Basically, is there a way for me to define access on the basis of the origin rather than the webID? Would you recommend any documentation to understand this better?

Thank you again for engaging with these questions! Pardon me if I’ve misunderstood something basic.

Hi @organicimpala

It’s good to see you investigating this.

You can set up ACP to filter on “app” rather than “agent” by using a client matcher. Here are the docs for that:

https://docs.inrupt.com/ess/latest/security/acp/#acp-matcher-client

Thanks