Skip to content

Web Access Control 2.0: Secure Authorization Conditions#1

Open
melvincarvalho wants to merge 11 commits intomainfrom
wac-2.0-secure-conditions
Open

Web Access Control 2.0: Secure Authorization Conditions#1
melvincarvalho wants to merge 11 commits intomainfrom
wac-2.0-secure-conditions

Conversation

@melvincarvalho
Copy link
Copy Markdown
Owner

@melvincarvalho melvincarvalho commented Apr 3, 2026

Summary

This PR applies PR solid#134's authorization conditions with secure evaluation semantics.

Changes from PR solid#134 (10 insertions, 9 deletions):

  1. Fail-closed evaluation — unsupported condition types make the Authorization non-applicable (instead of being silently ignored)
  2. Write-time validation — server SHOULD respond 422 Unprocessable Entity when ACL contains unsupported condition types
  3. Monotonicity — adding a condition can only restrict access, never expand it
  4. Migration safety — less-capable servers deny rather than expand access

All other aspects preserved: acl:condition syntax, capability discovery via Link headers, acl:ClientCondition, acl:IssuerCondition, conjunctive evaluation.

Background

csarven and others added 9 commits March 24, 2026 13:09
@csarven
Add condition to authorization evaluation
6e5a2ec
@csarven @jeswr
Fix typo on Ross's name
1b23f41 
Co-authored-by: Jesse Wright <63333554+jeswr@users.noreply.github.com>
@csarven @uvdsl
Relax wording around authentication
cafa174 
Co-authored-by: Christoph Braun <braun@kit.edu>
@csarven @uvdsl
Fix wording on an agent might use client/issuer
ff73d84 
Co-authored-by: Christoph Braun <braun@kit.edu>
@csarven
Clarify purpose of client-link-condition by reordering the sentence
cad6edc 
Resolves comment solid#134 (comment)
@csarven
Add condition-discovery-via-effective-acl-resource
7c315bd
@csarven
Update acknowledgements text to indicate alphabetical order by full n…
a5fbf50 
…ame listing
@csarven
Add changelog entry condition-discovery-via-effective-acl-resource
215b62b
@melvincarvalho
Web Access Control 2.0: Secure Authorization Conditions
fa5d929 
Changes from PR solid#134:

- Fail-closed evaluation: unsupported condition types make the
  Authorization non-applicable (instead of being silently ignored)
- Write-time validation: server SHOULD respond 422 when ACL contains
  unsupported condition types
- Monotonicity: adding a condition can only restrict access, never expand
- Migration safety: less-capable servers deny rather than expand access

All other aspects of PR solid#134 are preserved: condition syntax,
capability discovery, Client/Issuer conditions, conjunctive evaluation.
@melvincarvalho melvincarvalho mentioned this pull request Apr 3, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@melvincarvalho @csarven