Release Notes

Installation and Upgrades

Starting in version 2.0, ESS provides:

• inrupt-kustomizer to install or upgrade ESS.

• Various Kustomize overlays that can act as the base configuration for your deployment.

In addition, improved quality health checks allow for a more robust rolling deploy.

For more information, see:

• Installation

• Upgrade

Pods and WebIDs

Separate Storage Services and WebID Services

Starting in 2.0, ESS replaces the LDP service (available in earlier ESS versions) with separate:

• Pod Provisioning Service,

• Pod Storage Service, and

• WebID Service.

With this change, Pods and WebIDs are created independently of each other, and WebIDs are no longer hosted on the Pods. This change allows for multiple Pods per WebID, prevents users from locking themselves out of their Pods, and allows users to obtain their WebID or Pods from alternative providers.

As part of this change:

• When ESS provisions a new Pod, it creates the Pod with the URL:

  https://storage.{ESS Domain}/{Unique Pod Identifier}/
  

• When ESS creates a new WebID, ESS creates a WebID of the form:

  https://id.{ESS DOMAIN}/{username}
  

See also:

• New Services

• Removed Services.

Pod Related Changes

Starting in version 2.0, ESS introduces:

• Pod Provisioning Service to manage Pod creation. The service also creates the extended profiles.

• Pod Storage Service to host the created Pods. The service is also responsible for reading and writing the resources stored in the Pod.

Pod URL

In 2.0, the created Pods have the URL of the form:

https://storage.{ESS Domain}/{Unique Pod Identifier}/

Extended Profiles

When creating a Pod, the new service also creates an extended profiles. The extended profile resource is separate from the public WebID profile.

Pod Provisioning Endpoint

ESS 2.0 also exposes Provisioning Endpoint that allows ESS Start Application can use to create new Pods and extended profiles.

WebID Related Changes

Starting in version 2.0, ESS introduces a new WebID service to create WebIDs and host their corresponding Profile documents. See also

WebID Change

The new WebID service creates WebIDs of the form:

https://id.{ESS DOMAIN}/{username}

WebID Profile Document

The new WebID service also creates the WebID profile document. This public WebID profile document is no longer stored as a resource in the user’s Pod.

For the profile resource stored in the user’s Pod, see extended profiles. Extended profiles (created by the Pod Provisioning Service) are distinct from the public WebID profiles.

WebID Profile Document Endpoints

ESS 2.0 also exposes various WebID Profile Document Endpoints to allow operators to create a custom start application.

See also:

• Pod Provisioning Endpoint

• ESS Start Application

Security

Access Control Mechanisms

ESS 2.0 supports:

• Identity-Based Access Policies, where access to Pod resources is determined by specific access policies based on agents’ identity, and optionally, the identity of their clients.

• Access Requests and Grants, where access to Pod resources can be requested and granted (or denied).

To support these mechanisms, ESS also adds UMA Service. This service allows clients to exchange a token or access grant in one format for an access token.

In earlier versions, ESS only supports identity-based access.

For more information, see Authorization/Access Control.

Access Control Policy (ACP) Changes

In line with the latest Editor’s Draft of Access Control Policy, ACP changes include:

• ACR (Access Control Resource) is hosted on the Authorization Service. In earlier version, ACRs were located in the Pod.

• Policies must exist within ACRs. In earlier version, Policies could be stored in a non-ACR resource and just referred to in an ACR.

• Matchers replaces Rules. Along with the naming change, Matchers require a match in order for the Policy to apply.

• The noneOf(<Matchers>) expression excludes matches from the allOf(<Matchers>) and anyOf(<Matchers>) expressions; that is, noneOf(<Matchers>) expression acts as a secondary/supplementary filter to the allOf and anyOf expressions

• Removes match by Group (where Group is identified by its URI/IRI). Instead, specify a matcher with a list of agents.

• Matchers must be attached to a Policy.

For more information, see Access Control Policy (ACP).

Access Control Client Allow List

Starting in version 2.0, ESS adds a new configuration option INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST that determines which applications can interact with Access Control Resource; that is, which applications can read and write access control policies for a resource.

See INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST.

UMA 2.0 Support

Starting in 2.0, ESS provides a User Managed Access Grant 2.0 (UMA) service. This service allows clients to exchange a token or credential in one format for an access token.

For more information, see UMA Service.

Access Request/Grant Support

Starting in version 2.0, ESS supports authorization mechanism based on Access Requests and Grants. With authorization mechanism based on Access Requests and Grants:

• Agents can request access to resources from the resource owners.

• The resource owners can either grant or deny the access request.

• If the access request is granted, the requesting agent can use the access grant to access the requested resource.

For more details, see:

• Access Requests and Grants

• Verifiable Credentials Service

• UMA Service

Services

New Services

New Service	Notes
Auditing Service	To support auditing activities from ESS services. In earlier ESS version, instead of a separate service, auditing is handled as a named category of Quarkus logging. For more information on the service, see Auditing Service and Auditing.
Pod Provisioning Service	To manage Pod creation. The service also creates the extended profiles. In earlier ESS version, LDP service handled WebID provisioning as well as Pod provisioning and hosting. For more information on the service, see Pod Provisioning Service. See also Separate Storage Services and WebID Services.
Pod Storage Service	To host the created Pods. The service is also responsible for reading and writing the resources stored in the Pod. In earlier ESS version, LDP service handled WebID provisioning as well as Pod provisioning and hosting. For more information on the service, see Pod Storage Service. See also Separate Storage Services and WebID Services.
Start Service	To host a default application that acts as the starting point for ESS users. The start application handles the signup or login flow. As part of this flow, the application provisions the user with a WebID and a Pod. For more information on the service, see Start Service. See also custom start application.
UMA Service	To support User Managed Access (UMA) Grant 2.0 authorization flow. This service allows clients to exchange a token or credential in one format for an access token that can be used to interact with a Pod resource. For more information, see UMA Service.
Verifiable Credentials Service	To support authorization based on access requests and grants. The new service: Issues VCs for access requests and grants. Verifies VCs. Updates the status of VCs (e.g., update the status to revoked). Queries for VCs and derives a Verifiable Presentation from the matching VCs. For more information, see Verifiable Credentials Service.
WebID Service	To create WebIDs and host their corresponding Profile documents. In earlier ESS version, LDP service handled WebID provisioning as well as Pod provisioning and hosting. For more information, see Separate Storage Services and WebID Services.

Changed Services

Changed Service	Notes
Authorization Service	In ESS 2.0, Authorization Service changes include: Hosts Access Control Resources (ACRs) as well as determines the access (based on Access Control Policies). In earlier version of ESS, the Authorization determined the access. For more information, see Authorization Service Authorization/Access Control.
OpenID Provider	In ESS 2.0, OpenID Provider changes include: Runs from https://openid.{ESS DOMAIN} by default. In earlier version of ESS, the service used https://broker.{ESS DOMAIN} by default. Adds support for static registration of clients. For more information, see: OpenID Provider Application Registration.
Query/QPF Service	In ESS 2.0, Quad Pattern Fragment (QPF) service changes include: Requires the URL of the Pod as a query parameter Requires the data to be indexed. Requires an OIDC token or a UMA 2.0 token to access the service. For more information, see Quad Pattern Fragment (QPF) service.

Removed Services

Removed Service	Notes
LDP Service	ESS replaces the LDP service with separate: Pod Provisioning Service, Pod Storage Service, and WebID Service. See also: Separate Storage Services and WebID Services
Search Access Service	ESS 2.0 no longer provides search access service. The access service provided a GraphQL endpoint that allowed Pod owners to query a Pod’s access control information. See Query Service instead.