fep

FEP-7502: Limiting visibility to authenticated actors

Summary

Some servers require authentication for all requests made via ActivityPub, even for GET requests on public objects addressed to as:Public. This violates the requirement that anything addressed to as:Public is made available without requiring authentication. This FEP proposes an alternative addressing that may be used in such scenarios, signaling that the object is not fully public but is otherwise available to any actor.

Prior art

(This section is non-normative.)

ActivityPub issue 339 discusses the shortcomings of as:Public and proposed a new delivery/addressing target of as:Authenticated, but this proposal was never adopted. The distinction between the two is as follows:

Public: Available to anyone without authentication
Authenticated: Available to any actor after authentication

Issues raised with this approach include:

the lack of semantic clarity around addressing pseudo-collections (including as:Public) as it relates to post-delivery use cases
the ease of creating puppet actors making this ineffective for anti-abuse use cases
the potential for tracking authenticated fetches that may occur

The concern with semantic clarity is unaddressed, as replacing as:Public with a different mechanism to signal fully public objects is out-of-scope for this FEP. However, this mechanism is still useful for addressing different concerns:

signaling an intent to disallow unauthenticated access, instead of lying about the object being fully “public”
a minimal level of tracking authentication being desirable in cases where blocks are to be enforced, by adding friction to fetching

In WAC, there is a distinction made between an “agent” (http://xmlns.com/foaf/0.1/Agent) and an “authenticated agent” (http://www.w3.org/ns/auth/acl#AuthenticatedAgent). This FEP proposes an addressing target for the latter.

Proposal

In addition to collections and objects, Activities may additionally be addressed to a special “authenticated” collection, with the identifier http://www.w3.org/ns/auth/acl#AuthenticatedAgent.

Activities addressed to this special URI shall be accessible to all actors, with authentication. Implementations MUST NOT deliver to the “authenticated” special collection; it is not capable of receiving actual activities.

An activity SHOULD NOT be addressed to both “public” and “authenticated”. In such a case, addressing to “authenticated” has no effect while also addressed to “public”.

Overview

ActivityPub Clients MAY author an activity that is addressed to or cc or includes in the audience the “authenticated agents” special identifier.
ActivityPub Servers receiving such an activity addressed to “authenticated agents” MUST enforce some method of authenticating actors on fetch, if the activity is persisted. (No specific method is required by this FEP, but in most practical cases it is currently sufficient to use the HTTP Signatures Cavage draft and sign the GET request with a domain-wide internal fetch actor representing the service running on that domain.)
ActivityPub Federated Servers that operate as an “instance” receiving such an activity addressed to “authenticated agents” MUST NOT serve representations of the received activity to any logged-out users.

Implementations

Pixelfed intends to implement this FEP when “signed fetch” is enabled, such that the resulting data returned after a signed fetch does not include as:Public.

Terms defined

Authenticated

URI: http://www.w3.org/ns/auth/acl#AuthenticatedAgent
Label: Anyone authenticated
Subclass of: Agent
Is defined by: Basic Access Control ontology

References

ActivityPub Christine Lemmer Webber, Jessica Tallon, ActivityPub, 2018
339 kaniini, as:Authenticated proposal, 2019
WAC Sarven Capadisli, Tim Berners-Lee, Henry Story, Web Access Control, 2023

Copyright

CC0 1.0 Universal (CC0 1.0) Public Domain Dedication

To the extent possible under law, the authors of this Fediverse Enhancement Proposal have waived all copyright and related or neighboring rights to this work.

This site is open source. Improve this page.