Ensure the “it just works” scenario works in TLS and OIDC modes

[RubenVerborgh]

No description provided.

[kidehen]

@RubenVerborgh ,

Using your pod at https://ruben-just-works.solid.community/public/, here are my observations:

[1] I can authenticate and login using WebID-TLS
[2] I can't create a Meetulator instance .

Error:
Web error: 401 (Unauthorized) on PUT of https://ruben-just-works.solid.community/public/RWWCrew%20QA%20Meeting/index.ttl

A 401 message shouldn't be returned for an identity that has been successfully authenticated.

[kidehen]

@RubenVerborgh ,

So that we have a coherent interop exercise, that's ongoing rather than fragmented, here are the existing TLS-mode pods that pass basic "it just works!" interop tests:

• https://kidehen3.solid.openlinksw.com:8443/public/
• https://solid.turnguard.com:8440/public/
• https://drive.verborgh.org/public/RWWCrewQA/

What are the basic steps?
Given an ACL for a group of WebIDs named <#RWWCrew>, any combination of members should be able to perform the following operations across their pods:

1. Login
2. Add data to at least one app/pane
3. Create an app/pane

ACL Raw Data:

@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.
@prefix kidehen: <https://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/kingsley.ttl#>.
@prefix melvin: <https://melvincarvalho.com/#> .
@prefix ruben: <https://ruben.verborgh.org/profile/#> .
@prefix csarven: <http://csarven.ca/#> .
@prefix c: <https://www.w3.org/People/Berners-Lee/card#> .
@prefix d: <https://ruben-just-works.solid.community/profile/card#> . 

<#owner>
    a acl:Authorization;
    acl:agent  kidehen:this,  melvin:me, ruben:me, csarven:i, c:i, d:me ;
    acl:accessTo <./index.ttl>;
    acl:defaultForNew <./>;
    acl:mode  acl:Read, acl:Write, acl:Control.

# Public-readable
<#public>
    a acl:Authorization;
    acl:agentClass foaf:Agent;  # everyone
    acl:accessTo <./index.ttl>;
    acl:defaultForNew <./>;
    acl:mode acl:Read.

[kidehen]

@RubenVerborgh ,
Steps:

1. I successfully login
2. I am unable to create a Meetulator instance -- that's when I get the 401 error I reported

I don't have this problem with TLS-mode pods.

[kidehen]

@RubenVerborgh,

My WebID is: https://kidehen6.solid.openlinksw.com:8443/profile/card#me, it should show up in Yo too.

[kidehen]

I get the following error message when I perform your steps: Error: Error writing meeting configuration: Web error: 401 (Unauthorized) on PUT of <https://ruben-just-works.solid.community/public/Kingsley-Test/index.ttl>

[kidehen]

@RubenVerborgh ,
When does solid-server end and where does mashlib start?
Here's how understand this setup:

[1] solid-server -- node.js module that allows read-write operations using LDP (HTTP PUT and PATCH methods) used to create and interact with solid pods/data spaces.

[2] data browser -- an solid-server can be configured to use a variety of data browsers, with Tabulator as the default

[3] Tabulator uses "mashilib.js" as a vehicle for delivering the app/pane experience against data in a pod.

Other Data Browsers could emulate Tabulator re. its use of "mashlib.js" for visual data interaction that also manifest as panes/apps.

Does this reconcile with your understanding?

[kidehen]

@RubenVerborgh,

What's the relation used to indicate the Idp of a WebID? Basically, how a person asserts that an Idp is a trusted provider of identity claims verification?

Note: I looked around a few WebIDs and couldn't find the relation in question there, I know its documented somewhere :)

[dmitrizagidulin]

Heh, as usual, documentation could definitely be improved.
The relation is documented here: https://github.com/solid/webid-oidc-spec#authorized-oidc-issuer-discovery, but needs to be more front&center.

[dmitrizagidulin]

(The predicate is <http://www.w3.org/ns/solid/terms#oidcIssuer>).

[kidehen]

@RubenVerborgh ,

Basically, the following:

@prefix solid: <http://www.w3.org/ns/solid/terms#> .
<#me> solid:oidcIssuer <{oidc-idp-uri> .

Example snippets:

My OIDC-mode pod WebID-Profile docs.

@prefix solid: <http://www.w3.org/ns/solid/terms#> .
<#me> solid:oidcIssuer <https://solid.openlinksw.com:8444>  . 

[kidehen]

@RubenVerborgh ,

Success regarding the following:

1. Login
2. Meetulator instance Creation.

See: https://ruben-just-works.solid.community/public/Kingsley-Test/.

Next Steps:

Repeating with different WebIDs deployed via OIDC-pod and verifying ACLs etc.

[kidehen]

@RubenVerborgh ,

Give me a few minutes, I am repeating using other WebIDs.
I'll drop a note when done.

[kidehen]

@RubenVerborgh ,

Please add https://kidehen7.solid.openlinksw.com:8444/profile/card#me to <#RWWCrew> acl. Right now I get 403 (which is consistent with current ACL state).

Revised ACL should be:

<#RWWCrew>
    a acl:Authorization;
    acl:agent <https://ldp.turnguard.com/turnguard#me>, 
                   <https://www.w3.org/People/Berners-Lee/card#i>, <https://melvincarvalho.com/#me>,
                   <https://ruben.verborgh.org/profile/#me>, 
                   <https://kingsley.idehen.net/public_home/kidehen/profile.ttl#i>, 
                   <https://kidehen5.solid.openlinksw.com:8444/profile/card#me>, 
                   <https://kidehen6.solid.openlinksw.com:8443/profile/card#me>, 
                   <http://id.myopenlink.net/DAV/home/smalinin/YouID/Sergey_Malinin_Fb/profile.ttl#identity>, 
                   <https://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/software-agent.ttl#i>, 
                   <http://csarven.ca/#i>, <https://ruben-just-works.solid.community/profile/card#me>, 
                   <https://kidehen7.solid.openlinksw.com:8444/profile/card#me> ;
#    acl:accessTo <./>;
    acl:defaultForNew <./>;
    acl:mode acl:Read, acl:Write, acl:Control .

Added new WebID.

[kidehen]

@RubenVerborgh,

Okay, I have https://kidehen7.solid.openlinksw.com:8444/public/ up now. ACLs testing passes, but there is still a subtle problem with logging in an out.

Right now, I have to manually remove data from local storage to ensure my logout-login sequence is clean re. current identity.

In my case, our use of an icon to display current WebID helped me, but for others it will be a problem if they don't have their browser inspector window running while testing.

This issue can be closed, but there is another taking shape re item above.

[dmitrizagidulin]

The logout thing seems like a bug. An auth client should be clearing local storage on logout.

[kidehen]

@RubenVerborgh,

solid-auth-client is not forgetting my prior credentials, even when I remove them manually from my browser via its inspector utility .