Skip to content

first draft for an intent-handover spec#798

Open
ylebre wants to merge 2 commits into
solid:mainfrom
pdsinterop:feat/intent-handover
Open

first draft for an intent-handover spec#798
ylebre wants to merge 2 commits into
solid:mainfrom
pdsinterop:feat/intent-handover

Conversation

@ylebre

@ylebre ylebre commented Jul 1, 2026

Copy link
Copy Markdown

This PR is a first draft for an intent-handover specification. The aim is to allow initiating applications a flow to signal a 'login as' intent as well as an 'open this resource' intent to the receiving application.

@jeswr

jeswr commented Jul 1, 2026

Copy link
Copy Markdown
Member

When this is read without the context of the demo given in the Solid CG, it can be hard to imagine the expected flow. I would recommend describing the flow of the demo - in addition to having the flow diagram described in the meeting, so that the intended behaviour can be understood.

@uvdsl

uvdsl commented Jul 1, 2026

Copy link
Copy Markdown
Member

This PR was discussed on the 2026-07-01 meeting, including a quick rundown of the demo.

@elf-pavlik

Copy link
Copy Markdown
Member

Two recommendations for sequence diagrams

@uvdsl uvdsl self-requested a review July 2, 2026 14:50
@Potherca

Potherca commented Jul 3, 2026

Copy link
Copy Markdown

in addition to having the flow diagram

Something like this?

@Potherca

Potherca commented Jul 3, 2026

Copy link
Copy Markdown

Also, this discussion already talks about the scenario for opening resources: pod-os/PodOS#47

@Potherca

Potherca commented Jul 3, 2026

Copy link
Copy Markdown

Also also, as the intent is an instruction for the client-side code and not the server, I think that using a hash # would be more fitting than using query params (as those are meant as instructions for the server).

This would also prevent the WebID (or other values) from being visible server-side (in logs, etc.) which is better from a privacy perspective.

allow for both fragment (for client side apps) and query parameters (for server-driven apps)
allow open intent to receive resources to open
Comment thread 2026/intent-handover.html
</ul>
<h2 id="intent-parameters">4. Intent Parameters</h2>
<p>This specification defines intent parameters as either HTTP URL fragment parameters or HTTP URL query parameters. The usage depends on the capabilities of the receiving application.</p>
<p>Receiving applications that run purely in the browser SHOULD use fragment parameters to prevent transmission of information to the server.</p>

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the initiating application construct url with parameters? If it does how would it decide to use query or fragment? The whole idea of having parameters in a fragment doesn't sound familiar to me. Do you have examples of it being used elsewhere?

@elf-pavlik

elf-pavlik commented Jul 7, 2026

Copy link
Copy Markdown
Member

Thank you for the diagram @Potherca I think I understand the intent (no pun intended!).

My main issue is that in my idea of a default state of things, applications don't know anything about any other applications that the user is using - privacy concern. Even if they know they shouldn't be disclosing any information to other applications, specifically information which isn't publicly available via user's WebId.

I recall some prior conversations about 'open with' style interactions. The only link I can find now solid/catalog#24

While we can't assume that any application used by a user knows anything about any other application used by that user. At least SAI and MANDAT have notion of Authorization App/Agent, which is special case app/service with hight trust from the user. In https://sai.js.org I actually combine it with the IdP itself, but they could be separate. Whatever flow we design should accommodate for possibility of user having such special app/service, in SAI it is advertised in WebID, similar to OIDC Issuer. And flow may need to go through that special party.

Can we pick 2-3 specific, real world use cases and walk through them

  1. without this proposal
  2. with this proposal
    a) as of now
    b) extended to a special trusted app/party incorporated in this flow to avoid privacy leaks between applications

I'm happy to work on the same use cases with approach 2b.

@jg10-mastodon-social @srosset81

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants