Separate authentication and entitlements, add federated DRM#66
Conversation
The existing `auth` property on Release Documents conflated authentication (how to present credentials) with authorization (whether a user may access a package). This change separates the two concerns and adds a federated entitlement verification protocol: - Narrow `auth` on releases to repository authentication only - Add `entitlements` property to Metadata Documents for vendor-controlled access policy (subscription, purchase, license-key, free-registration) - Add `FairEntitlementService` DID Document service type as trust anchor - Define entitlement verification protocol with JWT-based proofs - Write the ext-auth.md authentication methods extension (bearer, basic, oauth2) - Add entitlement types to the registry - Update implementation guide and docs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Joost de Valk <joost@altha.nl>
jdevalk
force-pushed
the
feature/separate-auth-entitlements
branch
from
331484c to
d456f05
Compare
|
The approach works for me. Background for other reviewers: TYPO3 hackathon discussion of how deeply FAIR should get into this - the concept has always existed, with placeholders in the spec. The approach needs to remain agnostic about the authentication method or platform, not requiring a specific type - e.g., maybe it's not based on a license key; actual implementation should also support an expiry date or next-reauth check so it doesn't have to be done on. every. single. page. load. |
- Change `provides` from empty array `[]` to empty object `{}` in both
test data files (spec requires provides to be a map/object)
- Add a security contact to did_plc_m5tfrwxd3btacxlstcvop2ib.json
(spec requires at least one security contact)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Joost de Valk <joost@altha.nl>
140 characters is too short for a meaningful package description. 250 characters allows 1-2 sentences while still keeping it concise. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Joost de Valk <joost@altha.nl>
…' into feature/separate-auth-entitlements
toderash
left a comment
toderash
left a comment
There was a problem hiding this comment.
Flagged a few points to look at, but not comprehensive & didn't set a specific resolution, so simply accepting those won't really work.
The basic need is to define a means for the entitlement to expire & force reauthentication when needed - e.g., every 8 hours or 30 days or never or after a specific timestamp, now+365 days or an absolute UTC date/time or whatever, so if a subscription is renewed out of band, it'll simply re-auth and keep going, or do whatever's appropriate if the subscription expires.
| { | ||
| "entitlements": { | ||
| "service": "https://licenses.example.com/verify", | ||
| "type": "subscription", |
There was a problem hiding this comment.
For type : subscription, should also add
"expires": <date/time as UTC>
| | `purchase` | One-time purchase plugins/themes | | ||
| | `license-key` | Software with traditional license key activation | | ||
| | `free-registration` | Free plugins that require vendor registration | | ||
|
|
There was a problem hiding this comment.
Consider a require-reauth field, boolean false, after a time interval, or after a UTC timestamp
need a means of forcing a re-check for subscriptions, license expiry, or enforce reauth (oauth) as needed.
|
|
||
| ### 3. Set up repository authentication | ||
|
|
||
| On each release that has restricted artifacts, set `auth` to tell clients how to authenticate with the repository: |
There was a problem hiding this comment.
and when reauthentication must occur, if applicable.
| ```json | ||
| { | ||
| "auth": { | ||
| "type": "bearer", |
- Add require-reauth to entitlements object (vendor opt-in to disable proof caching) - Document re-verification rules: cached proofs expire via exp, are discarded on repo 401, refresh on 403 - Remove the 24h cap on proof exp; expiry is at the entitlement service's discretion - Document typical proof lifetimes per entitlement type in the registry - Walk through expiry strategy in docs/implementing/restricted.md Addresses toderash review on PR #66.
Resolve conflicts: - Spec: keep entitlement-aware install flow, FairEntitlementService DID section, entitlements property, auth narrowed to repository auth - Metadata table: merge main's last_updated/latest-security-release rows with this branch's entitlements row - Description: keep 250-char limit from this branch - Normalize Client/Repository/Package capitalization to main's convention
|
@toderash thanks for the review. I treated your inline comments as pointing at one underlying need — vendors must be able to control re-verification cadence, on any auth method, without forcing a check on every page load — rather than as four separate field requests, and the design landed slightly different from your suggestions. Walking through it so you can push back where I got it wrong: 1. The JWT proof's This means clients are required to cache proofs until 2. Added 3. New "Caching and Re-verification" section in the spec spelling out exactly when a cached proof must be discarded:
If a refresh returns 4. Updated 5. Registry: added a non-normative "Typical proof lifetime" column per entitlement type so vendors have somewhere to look when choosing an 6. Schema: Why not a metadata-level Also pulled in main and resolved the conflicts: integrated Ready for another look when you have time. |
2 participants
Summary
auth(repository authentication) fromentitlements(vendor-controlled access policy), resolving the conflation of authentication, authorization, and DRM in the existingauthproperty.FairEntitlementServiceas a new DID Document service type, giving vendors a trust anchor for entitlement verification that survives repository changes.ext-auth.mdextension definingbearer,basic, andoauth2authentication methods (previously empty).subscription,purchase,license-key,free-registration.How it works
FairEntitlementServicein their DID Document (trust anchor)entitlementswith type, service URL, and user-facing hintsThis means vendors control access regardless of which repository serves their package, and users keep their entitlements when packages move between repositories.
Files changed
specification.md— Core spec changes (auth narrowing, entitlements, DID service, verification protocol, flow diagrams, description limit)schemas/metadata.schema.json— Updated description maxLength from 140 to 250ext-auth.md— Authentication methods extension (bearer, basic, oauth2)registry.md— Added entitlement types tabledocs/implementing/restricted.md— Updated implementation guidedocs/restricted.md— Updated user-facing overviewTest plan
auth-only packages still work🤖 Generated with Claude Code