The Linked Web Storage Protocol specification aims to provide applications with secure and permissioned access to externally stored data in an interoperable way.
The Linked Web Storage Protocol does/does not include protocol details for integration with identity layers and mechanisms; access management and data integrity; notifications about resource changes; and authorization mechanisms.
Status of This Document
This is a
preview
Do not attempt to implement this version of the specification. Do not
reference this version as authoritative in any way.
Instead, see
https://w3c.github.io/lws-protocol/ for the Editor's draft.
This section describes the status of this
document at the time of its publication. A list of current W3C
publications and the latest revision of this technical report can be found
in the
W3C standards and drafts index.
Publication as an Editor's Draft does not
imply endorsement by W3C and its Members.
This is a draft document and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to cite this document as other
than a work in progress.
This document was produced by a group
operating under the
W3C Patent
Policy.
W3C maintains a
public list of any patent disclosures
made in connection with the deliverables of
the group; that page also includes
instructions for disclosing a patent. An individual who has actual
knowledge of a patent that the individual believes contains
Essential Claim(s)
must disclose the information in accordance with
section 6 of the W3C Patent Policy.
+ Previous editors: Added formal past editors section recognizing Justin Bingham, Dmitri Zagidulin, Sarven Capadisli, Tim Berners-Lee and Ruben Verborgh
+ HTTP Server MUST generate a Last-Modified header field in response to GET and HEAD requests.
- The PATCH ?insertions formulae MUST NOT contain blank nodes.
+ IANA Reg Security Considerations: Servers are strongly encouraged to implement additional security measures…
+ IANA Reg Privacy Considerations: Servers are encouraged to respond with the 451 status code…
Tactics
Reference UCS Glossary for now to keep them in sync.
Include REST examples but keep spec abstract to:
provide intuitive names for states, operations, and responses
factor states, operations and responses so e.g. update resource responses are the same from HTTP PATCH or from HTTP PUT
enable alternate bindings.
I like to have a marker (e.g. left-border) to highlight informative regions, but it's pretty ugly.
1. Document Conventions
This section is non-normative.
2. Introduction
2.1 Resource Access
The LWS Protocol defines standard interactions by which a some party can make some resources available to some agents.
served resource - (available resource? published resource?) (not defined in UCS) A network-accessible entity exposed by a service for interaction, retrieval, or manipulation using the protocol defined in this document.
requesting agent - (entity in UCS) An entity (e.g., client, user, or process) that initiates a request to interact with a servable resource.
authentication - the process of verifying the identity of an agent executing a request.
authorization - the process of determining whether an agent has permission to access a specific resource or perform one of a set of operations.
resource manager - (controller in UCS) An agent that has permission to control access to a served resource.
2.3 Conformance
As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.
The key words MAY, MUST, MUST NOT, RECOMMENDED, REQUIRED, SHOULD, and SHOULD NOT in this document
are to be interpreted as described in
BCP 14
[RFC2119] [RFC8174]
when, and only when, they appear in all
capitals, as shown here.
A LWS REST Server is an HTTP server [rfc9112] that complies with all of the relevant "MUST" statements in this specification. Specifically, the relevant normative "MUST" statements in Sections 999REST Binding of this document MUST be respected.
A LWS REST Client is an HTTP client [rfc9112] that complies with all of the relevant "MUST" statements in this specification. Specifically, the relevant normative "MUST" statements in Sections 999REST Binding of this document MUST be respected.
3. Terminology
This specification defines operations on served resources, the resulting change of state, and a response indended to give the requesting agent requested infomation or inform them of the outcome of the operation.
An operation is any of the following actions that can be performed on a served resource:
create resource -
read resource -
update resource -
delete resource -
The folowing section will describe the semantics and responses of these operations but the following core responses apply to any operation:
success - the operation is believe to have completed. This may be accompanied by a resource representation conveying the contents of a served resource. A success response is not defined for the create resource operation. See instead created.
not permitted
unknown requester
unknown error - reserved for error conditions that arrise that are not anticipated by the specification
4. Authentication
For any access control that requires establishing the identity of a requesting agent, that identiy is established using strawman-authn:
Linked Web Storage describes a mechanism for persisting and managing protected data on the Web. Authorization is the mechanism
by which agents request and present access tokens in order to access this protected data.
5.1 Roles
The roles in LWS authorization are the same as those defined by OAuth 2.0 Section 1.1 [RFC6749]:
resource owner,
resource server,
client (called in this specification authorization client to avoid ambiguity), and
authorization server.
A storage server is a type of resource server that also conforms to the LWS storage specification.
5.2 Protocol Flow
This specification describes the interaction between a client and an authorization server as well as
the interaction between a client and a conforming storage server.
The interaction between the authorization server and the storage server is out of scope of this specification.
The authorization server may be the same server as the storage server or it may be a separate entity.
5.2.1 Authorization Server Discovery
All protected resources managed by a storage server require a valid access token, generated by a trusted
authorization server. A client can discover the location of a trusted authorization server by making an
unauthorized HTTP request to a protected resource.
A storage server generating a 401 (Unauthorized) response MUST send a WWW-Authenticate header
field containing at least one conforming challenge. A conforming challenge will include the parameters described below:
as_uriREQUIRED — The value of this parameter is an absolute URI identifying the authorization server
where a client can retrieve an access token. The value of this parameter will be the same as the iss claim of a valid access token.
realmREQUIRED — The value of this parameter is an absolute URI indicating the scope of protection.
This value will be included in the audience (aud) claim of an access token. A client MUST verify that
the URI of the originating request is logically contained within the realm presented in this response.
An authorization server MUST provide a metadata resource to allow clients to discover endpoint locations and capabilities as described
in [RFC8414]. This metadata resource MUST be available at a URL with the path /.well-known/lws-configuration.
An authorization server SHOULD advertise the subject tokens that it supports by including a subject_token_types_supported
entry in the server metadata document. This entry is a JSON array containing a list of valid subject_token_type values
that can be supplied at the authorization server's token endpoint.
An example authorization server metadata resource is included below.
An LWS authorization server is a conforming OAuth 2.0 authorization server, capable of issuing access tokens to a client
for use with a storage server. In order to issue an access token, a client must first present a valid subject token,
such as an end-user credential, to the authorization server via OAuth 2.0 Token Exchange [RFC8693].
5.2.3.1 Request
The authorization server's token endpoint MUST support the urn:ietf:params:oauth:grant-type:token-exchange
grant type, as described in OAuth 2.0 Token Exchange [RFC8693].
When performing the token exchange grant type, the following additional requirements apply:
The resource parameter is REQUIRED. The value of this parameter MUST be an absolute URI and will be used to populate the
aud (audience) claim in the resulting access token. The supplied value will be the same as the
realm parameter response in a WWW-Authenticate challenge. The authorization server
MUST reject any request in which the resource parameter identifies an unknown or untrusted storage.
The subject_token parameter is REQUIRED. The value of this parameter MUST include a valid subject token,
such as an end-user credential.
Before returning an access token to the client, the authorization server MUST successfully validate all presented tokens.
Non-normative example of a token request (the subject_token parameter has been truncated).
If the token request is valid and the client is authorized to make the request, the authorization server response MUST
conform to Section 5.1 from the OAuth 2.0 Authorization Framework [RFC6749]. The resulting access token MUST conform
to the JSON Web Token Profile for OAuth 2.0 Access Tokens [RFC9068].
In addition, the access token must meet the following requirements:
sub (subject) — REQUIRED. This claim MUST be an absolute URI identifying the agent performing the operation
iss (issuer) — REQUIRED. This claim MUST be the absolute URI of the authorization server
client_id (client id) — REQUIRED. This claim MUST be an absolute URI identifying the client.
aud (audience) — REQUIRED. This claim MUST include the absolute URI supplied by the client
in the resource parameter. This value will be used to restrict the entities for which the access token is valid. This will
be the same value as provided by a storage server in the realm parameter of a WWW-Authenticate challenge.
exp (expiration) — REQUIRED. Authorization servers SHOULD issue tokens with short lifetimes
(RECOMMENDED: 300 seconds or less) to limit exposure from token theft.
iat (issued at) — REQUIRED.
jti (JWT ID) — REQUIRED.
A non-normative example of a successful token response is included below.
HTTP/1.1200 OK
Content-Type: application/json
{"access_token":"eyJ0eXAiOiJhcytqd3QiLCJhbGciOiJFUzI1NiIs...DeWt4QuZXso","token_type":"Bearer","expires_in":3600}
All invalid or unauthorized requests MUST result in an error response as described in Section 5.2 in
the OAuth 2.0 Authorization Framework [RFC6749].
Once a client is in possession of an access token, it will present this token to a storage server.
The storage server is responsible for verifying this token before performing any operation.
5.2.4.1 Presentation
A client MUST present an access token to a storage server using the Authorization header
with an authentication scheme as defined in [RFC6750].
A storage server MUST validate an access token by performing the following checks, rejecting the request upon any failure:
JWT Signature Validation: Verify the JWT signature using the authorization server's public key retrieved from the
jwks_uri specified in the authorization server metadata. Storage servers SHOULD cache these keys and
MUST support key rotation.
Issuer Validation: Verify the iss claim matches the expected authorization server identifier.
Audience Validation: Verify the aud claim contains exactly one value and this value is an absolute URI identifying the storage server which logically contains the target resource.
Temporal Validation, subject to an allowable clock skew between systems.
Verify the current time is before the exp (expiration) claim.
Verify the current time is not before the nbf (not before) claim, if present.
Verify that the iat (issued at) claim is not in the future.
If validation fails, the storage server MUST return 401 Unauthorized with a WWW-Authenticate header
containing an appropriate error parameter (e.g., invalid_token, invalid_request, or insufficient_scope).
If the token is otherwise valid but an authorization policy does not allow the requested operation,
the storage server MUST reject the request.
6. Discovery
Define how requesting agents discover served resources and their capabilities.
Define the data model for logical resource organization within LWS, including how containers are structured, hierarchical relationships between resources, container semantics, containment rules, and the mechanisms for organizing and navigating collections of related resources. This should cover container creation, membership management, and the relationship between containers and the resources they contain.
9. REST Binding
This strawman mapping of the operations and responses defined above allows LWS REST Servers and LWS REST Clients to communicate over HTTP using REST conventions.
The following table maps LWS response to an HTTP status code and payload:
Define how resources are identified and addressed within the LWS Protocol, including URI schemes, resource naming conventions, and resolution mechanisms. This section may be moved within another section; e.g. Resource Access
this left intentionally blank
11. Unstable Features
The features described in this section are being drafted to ground discussions and may be removed if there is:
Lack of consensus to include them, or
Lack of implementation of those features
this left intentionally blank
11.1 Profile Negotiation on Resources
Define mechanisms for content negotiation based on profiles, allowing clients to request specific representations or views of resources (e.g., JSON-LD contexts, different RDF serializations, or application-specific profiles).
this left intentionally blank
11.2 Notifications
Define notification mechanisms that allow clients to be informed of changes to resources, including subscription models, event formats, and delivery mechanisms.
this left intentionally blank
11.3 Inbox
Define inbox resources with specific semantics within LWS, including message posting, retrieval, and management capabilities for asynchronous communication patterns.
this left intentionally blank
12. Portability Considerations
Describe considerations for ensuring LWS implementations can work across different platforms, environments, and storage backends while maintaining interoperability - and provide affordances to enable change in storage providers
this left intentionally blank
13. Security Considerations
Formal security considerations section covering threat models, security requirements, and implementation guidance for secure LWS deployments.
13.1 Authorization Security
The recommendations described in Best Current Practice for OAuth 2.0 Security [RFC9700] apply to this specification.
13.1.1 Transport Security
An Authorization Server implementation MUST support TLS. When using TLS, the client MUST perform a TLS/SSL server certificate check, per RFC 6125 [RFC6125].
Implementation security considerations can be found in "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)" [BCP195].
13.1.2 Token Security
Bearer tokens are vulnerable to theft and replay. Required mitigations include:
Short Lifetimes: Tokens SHOULD have lifetimes of 300 seconds (5 minutes) or less
Audience Binding: Tokens MUST be bound to a specific storage server via the aud claim
Secure Storage: Clients MUST store tokens securely in memory when possible, never in localStorage, URLs, or logs
13.1.3 End-User Credential Protection
End-user credentials with unrestricted audiences MUST NOT be provided to untrusted authorization servers.
If an end-user credential issuer is unable to restrict the audience of a token, clients SHOULD use a mechanism
such as OAuth 2.0 Token Exchange [RFC8693] to create audience-restricted credentials before interacting with authorization servers.
14. Privacy Considerations
Privacy implications of the LWS Protocol, including data minimization, user consent, and privacy-preserving implementation patterns.
14.1 Authorization Privacy
Minimal Disclosure: Authorization servers SHOULD issue tokens containing only information necessary for
authorization. Avoid including sensitive subject attributes unless required.
Logging: Implementations SHOULD NOT log full token contents. If logging is necessary, tokens should be truncated or hashed.
When using pseudonymous identifiers in JWTs, client applications SHOULD request a batch issuance of JWTs and each JWT SHOULD be used only one
time against the storage server. This makes it harder for a storage server to use pseudonymous identifiers to correlate requests.
This does not prevent the storage server from using other information such as similarities in JWT content or originating IP address
to correlate requests. When using pseudonymous identifiers, the authorization server SHOULD NOT issue the same pseudonymous identifier
more than once.
15. IANA Considerations
This section is non-normative.
15.1 well-known URI Registry
This specification adds the following value to the "Well-Known URIs" registry [IANA.well-known] established by RFC 5785 [RFC5785].
URI suffix: lws-configuration
Change controller: W3C
Specification document: Section 5 of LWS-Auth
Related information: (none)
15.2 OAuth Authorization Server Metadata Registry
This specification adds the following value to the "OAuth Authorization Server Metadata" registry [IANA.OAuth.Parameters] established by [RFC8414].
Metadata Name: token_subject_types_supported
Metadata Description: JSON array containing a list of the OAuth 2.0 "token_subject_type" values that this authorization server supports