first draft for an intent-handover spec#798
Conversation
|
When this is read without the context of the demo given in the Solid CG, it can be hard to imagine the expected flow. I would recommend describing the flow of the demo - in addition to having the flow diagram described in the meeting, so that the intended behaviour can be understood. |
|
This PR was discussed on the 2026-07-01 meeting, including a quick rundown of the demo. |
|
Two recommendations for sequence diagrams
|
|
Also, this discussion already talks about the scenario for opening resources: pod-os/PodOS#47 |
|
Also also, as the intent is an instruction for the client-side code and not the server, I think that using a hash This would also prevent the WebID (or other values) from being visible server-side (in logs, etc.) which is better from a privacy perspective. |
allow for both fragment (for client side apps) and query parameters (for server-driven apps) allow open intent to receive resources to open
| </ul> | ||
| <h2 id="intent-parameters">4. Intent Parameters</h2> | ||
| <p>This specification defines intent parameters as either HTTP URL fragment parameters or HTTP URL query parameters. The usage depends on the capabilities of the receiving application.</p> | ||
| <p>Receiving applications that run purely in the browser SHOULD use fragment parameters to prevent transmission of information to the server.</p> |
There was a problem hiding this comment.
Does the initiating application construct url with parameters? If it does how would it decide to use query or fragment? The whole idea of having parameters in a fragment doesn't sound familiar to me. Do you have examples of it being used elsewhere?
|
Thank you for the diagram @Potherca I think I understand the intent (no pun intended!). My main issue is that in my idea of a default state of things, applications don't know anything about any other applications that the user is using - privacy concern. Even if they know they shouldn't be disclosing any information to other applications, specifically information which isn't publicly available via user's WebId. I recall some prior conversations about 'open with' style interactions. The only link I can find now solid/catalog#24 While we can't assume that any application used by a user knows anything about any other application used by that user. At least SAI and MANDAT have notion of Authorization App/Agent, which is special case app/service with hight trust from the user. In https://sai.js.org I actually combine it with the IdP itself, but they could be separate. Whatever flow we design should accommodate for possibility of user having such special app/service, in SAI it is advertised in WebID, similar to OIDC Issuer. And flow may need to go through that special party. Can we pick 2-3 specific, real world use cases and walk through them
I'm happy to work on the same use cases with approach 2b. |
This PR is a first draft for an intent-handover specification. The aim is to allow initiating applications a flow to signal a 'login as' intent as well as an 'open this resource' intent to the receiving application.