Fine-grained access control for Solid apps

[michielbdejong]

Pivot uses WAC, and WAC lacks client identification.
This has the following problem:

Steps

• Alice has a WebID and a Storage on a Pivot server. It was created with the default root ACL and Alice has not changed it.
• Alice has uploaded some sensitive document to her pod
• Bob has given Alice (identified with her WebID) read/write access to a photo album on Bob's pod.
• Alice now wants to use a Solid app (say, a chess game) that should not get access to her sensitive document, nor to Bob's photo album
• The Solid app invites her to give her WebID, and she is redirected to the consent dialog
• Although she knows she should read this dialog and make an effort to understand what it means, she doesn't, and just clicks 'Accept' because she is eager to start using the Solid app

Desired Behaviour

• The Solid app should not get access to the sensitive document on Alice's pod, nor to the photo album on Bob's pod

Actual Behaviour

• The Solid app gets full read, write and control access to the sensitive document
• as well as to every other resource on Alice's pod
• it could even grant more WebID's access and remove Alice's access to her own pod
• it can read and write the photo album on Bob's pod, and to Bob it will look like Alice made those changes

Possible fixes

As a mitigation (not a fix), we made Pivot's wording in the consent dialog sterner than what it is in upstream CSS.

To fix this, the most promising option seems to be to switch from WAC to ACP, and add a client matcher to the root ACL. This will mean Alice's data can only be accessed using explicitly listed apps (such as Mashlib or Penny), and other apps can be granted more fine-grained access using something like a Solid app launcher. This will, however, not fix the issue of the app being able to act on Alice's behalf when accessing Bob's pod, unless Bob's pod provider also makes this switch. So it's not something a single server implementation can fully address on its own. But it would be a good start.

Other possible fixes (but those would need to be made at the level of the Solid project (probably by the LWS-WG) and can't be made just by Pivot as one of several implementations of the Solid spec) could be a switch away from ACL-based access and towards something like SAI, or a switch in general to a more OAuth-like system for access grants.

[michielbdejong]

Other mitigations could be disabling the basic default "Solid-OIDC + WAC" behaviour of Pivot, e.g. by disabling dynamic client registrations, or by removing the root ACL from a pod. That avoids the risk, but then of course it prevents people from using their pod in the usual way. I edited the warning slightly to reflect this.

[michielbdejong]

Another option might be to use WebID+TLS instead of Solid-OIDC, and then use acl:origin to identify clients, and make sure all ACLs constrain the origin. So not a practical option, and also not likely to happen given the reasons we switched away from WebID+TLS, but still worth documenting.