Separate authentication and entitlements, add federated DRM#66
Conversation
The existing `auth` property on Release Documents conflated authentication (how to present credentials) with authorization (whether a user may access a package). This change separates the two concerns and adds a federated entitlement verification protocol: - Narrow `auth` on releases to repository authentication only - Add `entitlements` property to Metadata Documents for vendor-controlled access policy (subscription, purchase, license-key, free-registration) - Add `FairEntitlementService` DID Document service type as trust anchor - Define entitlement verification protocol with JWT-based proofs - Write the ext-auth.md authentication methods extension (bearer, basic, oauth2) - Add entitlement types to the registry - Update implementation guide and docs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Joost de Valk <joost@altha.nl>
jdevalk
force-pushed
the
feature/separate-auth-entitlements
branch
from
331484c to
d456f05
Compare
|
The approach works for me. Background for other reviewers: TYPO3 hackathon discussion of how deeply FAIR should get into this - the concept has always existed, with placeholders in the spec. The approach needs to remain agnostic about the authentication method or platform, not requiring a specific type - e.g., maybe it's not based on a license key; actual implementation should also support an expiry date or next-reauth check so it doesn't have to be done on. every. single. page. load. |
- Change `provides` from empty array `[]` to empty object `{}` in both
test data files (spec requires provides to be a map/object)
- Add a security contact to did_plc_m5tfrwxd3btacxlstcvop2ib.json
(spec requires at least one security contact)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Joost de Valk <joost@altha.nl>
140 characters is too short for a meaningful package description. 250 characters allows 1-2 sentences while still keeping it concise. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Joost de Valk <joost@altha.nl>
…' into feature/separate-auth-entitlements
toderash
left a comment
toderash
left a comment
There was a problem hiding this comment.
Flagged a few points to look at, but not comprehensive & didn't set a specific resolution, so simply accepting those won't really work.
The basic need is to define a means for the entitlement to expire & force reauthentication when needed - e.g., every 8 hours or 30 days or never or after a specific timestamp, now+365 days or an absolute UTC date/time or whatever, so if a subscription is renewed out of band, it'll simply re-auth and keep going, or do whatever's appropriate if the subscription expires.
| { | ||
| "entitlements": { | ||
| "service": "https://licenses.example.com/verify", | ||
| "type": "subscription", |
There was a problem hiding this comment.
For type : subscription, should also add
"expires": <date/time as UTC>
| | `purchase` | One-time purchase plugins/themes | | ||
| | `license-key` | Software with traditional license key activation | | ||
| | `free-registration` | Free plugins that require vendor registration | | ||
|
|
There was a problem hiding this comment.
Consider a require-reauth field, boolean false, after a time interval, or after a UTC timestamp
need a means of forcing a re-check for subscriptions, license expiry, or enforce reauth (oauth) as needed.
|
|
||
| ### 3. Set up repository authentication | ||
|
|
||
| On each release that has restricted artifacts, set `auth` to tell clients how to authenticate with the repository: |
There was a problem hiding this comment.
and when reauthentication must occur, if applicable.
| ```json | ||
| { | ||
| "auth": { | ||
| "type": "bearer", |
2 participants
Summary
auth(repository authentication) fromentitlements(vendor-controlled access policy), resolving the conflation of authentication, authorization, and DRM in the existingauthproperty.FairEntitlementServiceas a new DID Document service type, giving vendors a trust anchor for entitlement verification that survives repository changes.ext-auth.mdextension definingbearer,basic, andoauth2authentication methods (previously empty).subscription,purchase,license-key,free-registration.How it works
FairEntitlementServicein their DID Document (trust anchor)entitlementswith type, service URL, and user-facing hintsThis means vendors control access regardless of which repository serves their package, and users keep their entitlements when packages move between repositories.
Files changed
specification.md— Core spec changes (auth narrowing, entitlements, DID service, verification protocol, flow diagrams, description limit)schemas/metadata.schema.json— Updated description maxLength from 140 to 250ext-auth.md— Authentication methods extension (bearer, basic, oauth2)registry.md— Added entitlement types tabledocs/implementing/restricted.md— Updated implementation guidedocs/restricted.md— Updated user-facing overviewTest plan
auth-only packages still work🤖 Generated with Claude Code