On the Solid community server, when you give an application access to your pod, and if that app demands “trusted app” access, then it is listed in the /profile/card file.
This seems to be too much information to be publicly exposed.
Mainly because the acl:origin http://some_appname_has_information provides visible information about these apps, which may be correlated to the person.
Is there a way to have this information on a non-public file? (or would that break something?)
Like how email is hidden (reffering to an identifier)?
You can manually assign permissions to apps using ACL or ACP and that does not leave a record in the public profile. There is currently no specification covering the flow of app authorization. See the work of the Interoperability Panel for a more sophisticated approach than trustedApps.
My understanding was that it’d be more like, you might have three different calendar apps in the ecosystem, and you might preference a certain one, and you decide to advertise that publicly in your webid (it could also be in a private document (preferences or something?) that only the pod owner could view (which currently implicitly means “any application you log in with” afaik.
No, that’s not really what is going on. Whenever an an app visits NSS from an origin that is not in trustedApps, a popup asks the user what rights they want to grant the app. Whatever they answer is recorded in the profile. The rights are conferred are pod-wide. This is a quick an easy way to authorize apps like SolidOS and Penny and PodBrowser which need access to everything but is somewhere between indiscreet and indiscriminate in terms of what it displays and allows apps to do.
Ah! Okay! Interesting! I was just pondering how this works the other day, and I was thinking that there’d be a use case for using a specific OIDC scope to request full pod access.
Though, given how this works, yeah, I’d expect that data to be private, otherwise it would reveal to the public what applications you’ve used.