@Permissioned Spaces
Expressive Authorization at the PDS
@verdverm.com | @blebbit.app
About me & blebbit
What are we talking about today?
Permissioned “spaces” in the PDS
Zanzibar and SpiceDB for ReBAC (relation based)
Capability Based tokens for delegation
Prototypes with ATProtocol
What are we NOT talking about today?
X E2EE encrypted data / messaging (~possible)
X Private Accounts (~possible)
X Keys and distribution (out of scope)
� Develop in parallel and become options for the people
Where do we start from?
Use Case and UX/DX
@bnewbold’s comment in #3363 - Private Data in the Repo?
Zanzibar & SpiceDB for ReBAC
Build, experiment, and talk in parallel together
Use-cases - (basically all existing apps)
Goal to craft a permissions fabric for all* apps?
People want privacy online
The People are asking #ATProtoDev for solutions
The people also want public spaces with permissions!
Prototypes & Experiments
Spaces, Groups, Roles, Relations, Content
Limit to the @atproto/… packages
Credible Exitible Philosophy (CEP)
Backwards Compatible with repos and network
Foundation for @blebbit.app … really any app
SpiceDB … thinking about it like an SQL database
Apps outsource IAM, PDS handles Dual Write / New Enemy
Dual Write Problem (transactions)
Want transaction semantics
Write to 2+ databases
FUBAR failures
Hard Problem!
New Enemy Problem (consistency)
can Darth see new content for a moment?� when is the permission system consistent?
Zookie, an opaque consistency token
Zanzibar / SpiceDB
Relation Based Access Control (ReBAC)
Capability Based Tokens / Authorization
I’m new to this, grain of salt*
Relation to OAuth in @ATProtocol
OAuth Scopes Permissions and Relations
Permission Sets Roles
App <-> Account Account <-> Account
(App <-- PDS --> PDS )
@spaces?
@spaces? (╯°□°)╯︵ ɐʇɐp
at://…?
AT-URI needs to grow…
at://<did>/<nsid>/<rkey> ... ?
at://verdverm.com…?space=my-space
AT-URI needs to grow… this is backwards compatible
at://<did>/<nsid>/<rkey> ? space = <skey> & ...
Unlocking query parameters is an interesting idea
@spaces?
@spaces?
/root
@spaces?
/root
owner
@spaces?
/root
/bsky
owner
@spaces?
/root
parent
/bsky
owner
@spaces?
/root
parent
/team
/bsky
owner
@spaces?
/root
parent
/team
/bsky
owner
@spaces?
admin
/root
parent
/team
/bsky
owner
@spaces?
admin
/root
?
parent
/team
/bsky
owner
@spaces?
admin
/root
?
parent
/team
/bsky
owner
read
@spaces?
admin
/root
?
parent
/team
/bsky
owner
read
@spaces?
admin
/root
?
parent
/team
/bsky
owner
read
like
@spaces?
admin
/root
?
parent
/team
/bsky
owner
read
like
/friends
@spaces?
admin
/root
?
parent
/team
/bsky
owner
read
like
post
/friends
@spaces? (╯°□°)╯︵ ɐʇɐp
admin
/root
?
parent
/team
/bsky
owner
read
like
post
/friends
@spaces? (╯°□°)╯︵ pɐǝɹ
admin
/root
?
parent
/team
/bsky
owner
like
post
/friends
X
@spaces? (╯°□°)╯︵ sddɐ
admin
/root
?
parent
/team
/bsky
owner
/friends
like
post
X
@joehills.net
@joehills.net
@joehills.net
@joehills.net
@joehills.net
/minecraft
@joehills.net
/minecraft
@joehills.net
/minecraft
/personal
@joehills.net
/minecraft
/personal
@joehills.net
/minecraft
/personal
@joehills.net
/minecraft
/personal
@joehills.net
/minecraft
/personal
@joehills.net
/minecraft
/personal
@prototype!
@blebbit / atproto
Fork of bluesky-social / atproto with patches
SpiceDB running next to the PDS
Schema, lexicon, and implementation, everything is wired up
Tooling for user-story experiments
PDS container image and pnpm overrides for clients
R&D instance & test network (permissioned relays experiments?!)
User Stories - experiment & contribute
User Stories - experiment & contribute
User Stories - experiment & contribute
User Stories - experiment & contribute
User Stories - experiment & contribute
User Stories - experiment & contribute
User Stories - experiment & contribute
User Stories - experiment & contribute
User Stories - experiment & contribute
User Stories - advanced features
Prototype - @record table
Prototype - @spaces table
@Permissioned Spaces
@questions?