Authorizing Solid Applications

and related security and privacy considerations.

User-centric approach to applications

Email is even older The Web and it is still one of the most prevalent technologies. Besides freedom to choose which email provider's mail server we use, SMTP and IMAP allow us to choose freely which email client we want to interact with. Each user can even use different email clients on their different devices. One of the main promisses of Solid is to provide similar freedom to all our interactions online.

Challenges of loose coupling

Open ecosystem comes with additional complexities compared to walled gardens.

Third parties
Applications are not part of your social graph, they are just tools used by you and your peers.
Discovery
Applications need to be able to find relevant data which user authorized them to access. No additional protected information should be disclosed.
Distributed data
Users access their data and data their peers which was shared with them. Every peer can host data on multiple servers. User's need to be able to define policies for their applications and apply it everywhere.
Terms of use
When user authorizes access, they may want to set specific conditions on how application provider may and may not use that data.
UX
Users need to be able to make authorization with confidence, especially when authorizing access to data of other peers in their social graph.

Efforts to address those challenges

This session will incorporate contributions from the following projects.

MalloryExploration of malicious Solid apps that demonstrates existing problems.

elf Pavlik

Solid CG, independent

MANDATAuthorizing Solid Applications via Proxies

Christoph Braun

Karlsruhe Institute of Technology (KIT), Germany

SAISolid Applications Interoperability

elf Pavlik

Solid CG, independent

A4DSAuthorization for DataSpaces

Wouter Termont

University of Ghent, Belgium

ODRLAccess management and enforcement with ODRL with LOAMA and FORCE.

Wout Slabbinck

University of Ghent, Belgium

Data Terms of UseTodo

Rui Zhao

University of Oxford, UK

Agenda

Presentations in chronological order.

Mallory11:15Exploration of malicious Solid apps that demonstrates existing problems.

Repo

elf Pavlik

Solid CG, independent

MANDAT11:20Authorizing Solid Applications via Proxies

The MANDAT project (FAU, KIT, DATEV), first presented at Solid World 2025, focuses on developing methods for the secure exchange of business data within decentralized, trust-based ecosystems. By leveraging the Solid protocol, the project aims to create a technical framework where companies can share information while maintaining full control over their business data. In this talk, Christoph will dive into what is enabled by the project's results in terms of access management and rights delegation and, most importantly, how this relates to the concept of authorizing Solid applications.

Christoph Braun

Karlsruhe Institute of Technology (KIT), Germany

SAI11:35Solid Applications Interoperability

slides
sai-js
videos (playlist)
- AuthZ screen | ACME
- Resource Sharing | notification

elf Pavlik

Solid CG, independent

A4DS11:45Authorization for DataSpaces

A future-proof extension for User-Managed-Access:

Granular policy management
Automated evaluation, human decision
Performant delegation of control
Privacy-first discovery

Wouter Termont

University of Ghent, Belgium

ODRL11:55Access management and enforcement with ODRL with LOAMA and FORCE.

slides
Open Digital Rights Language (ODRL)
FORCE: A Framework for ODRL Rule Compliance through Evaluation
- Specification
- Playground
LOAMA: Low-code ODRL Access Management Application
- Demo video
- Repository

Wout Slabbinck

University of Ghent, Belgium

Data Terms of Use12:05Todo

Another perspective for describing policies and reasoning about authorization decisions

Presentation slides
- Pre-recorded video (using an older version of the slides)
Demos
Explanation site
- With links to relevant repos and resources
- Also contains language spec
Paper published at WWW 2024 (open access): Perennial Semantic Data Terms of Use