Linked Data Notifications

LDN is one of several related specifications being produced by the Social Web Working Group. Implementers interested in alternative approaches and complimentary protocols should start by reading the overview document Social Web Protocols.

A sender is triggered, either by a human or an automatic process, to deliver a notification to a server. The notification is data intended for the attention of the receiver, for example: a personal message from a friend; a pingback link; a comment on a blog post; an invitation to collaborate; a calendar reminder.

The sender discovers where to deliver the notification based on the addressee or subject of the notification (the receiver) who advertises the appropriate location to send it to (the Inbox). Any resource can have its own Inbox. The receiver also exposes the notification data (according to appropriate access control) for use by consumers.

Consumers discover the location of the Inbox in the same way as the sender, and may perform further processing on the notifications, combine it with some other data, or simply present it in a suitable human-readable way.

Senders and consumers discover a resource's Inbox URL through a relation in the HTTP Link header or body of the resource.

The Sender:

• Creates the body of the notification according to the needs of application.
• Sends the notification to the Inbox URL by making a POST request, containing the body in JSON-LD or in another serialization acceptable by the server.

The Receiver:

• Responds to GET requests made to the Inbox URL with a JSON-LD representation (or if possible, requested serialization) of the URLs of the notifications that have previously been sent to the Inbox.
• Accepts POST requests at the Inbox URL to create notifications.
• Optionally enforces constraints on notifications sent to the Inbox.

The Consumer:

• Retrieves the contents of the Inbox URL with a GET request, and uses according to the needs of application.

LDN implementations may be senders, receivers or consumers. The conformance criteria for each of these roles are described in their respective sections of this specification.

For this specification to advance to Proposed Recommendation, there must be at least two independent, interoperable implementations of each feature. Each feature may be implemented by a different set of products. There is no requirement that all features be implemented by a single product.

• Independent implementations are developed by different parties and cannot share, reuse or derive form another qualifying implementation code which is directly pertinent to the implementation of this specification.
• Interoperability occurs between senders and receivers, or between consumers and receivers, when the sender/consumer makes a request to the receiver, and the receiver sends the expected response, as defined by this specification.
• An implementation is an LDN sender, receiver or consumer which implements the corresponding conformance class of the specification.

For the purposes of evaluating exit criteria, each of the following is considered a feature:

• Advertising the Inbox of a given resource through the Link header.
• Advertising the Inbox of a given resource through the body of the resource.
• Sending a notification to the Inbox of a given target.
• Receiving a notification and responding with the appropriate status code according to how it was processed and if it was accepted. Responding to GET requests on the Inbox with the Inbox listing, and responding to GET requests on the individual notifications with their representations.
• Reading the Inbox listing of a given target.
• Reading the individual notifications in the Inbox of a given target.

An Inbox, the endpoint which notifications are sent to or consumed from, can be discovered from any resource, for example a blog post, a user profile, a dataset, a video. The starting point for discovery is the resource which the notification is to or about: the target. Choosing the most appropriate target resource from which to begin discovery is at the discretion of the sender or consumer, since any resource (RDF or non-RDF) may have its own Inbox.

To discover the Inbox URL, senders and consumers:

• make a HEAD or GET request on the target URL, to check for an HTTP Link header with a rel value of http://www.w3.org/ns/ldp#inbox
• make a GET request on the target URL and, for RDF sources [RDF 1.1], the Inbox is the object of the predicate http://www.w3.org/ns/ldp#inbox.

These may be carried out in either order, but if the first fails to result in an Inbox the second MUST be tried. However, if the target contains a fragment identifier, the fragment is not part of the request to the server so any Inbox found in the Link headers will be for the resolved URL (without the fragment). Thus, senders and consumers SHOULD omit the Link header discovery when targeting URIs with fragment identifiers.

A resource MUST advertise only one Inbox. One Inbox MAY be used by multiple resources, for example using the same Inbox for replies to all of my blog posts and shares of all of my photos.

HEAD /profile HTTP/1.1
Host: user.example

HTTP/1.1 200 OK
Link: <https://user.example/inbox/>; rel="http://www.w3.org/ns/ldp#inbox"
                                        

GET /profile HTTP/1.1
Host: user.example
Accept: application/ld+json

HTTP/1.1 200 OK
Content-Type: application/ld+json

{
  "@context": "http://www.w3.org/ns/ldp",
  "@id": "https://user.example/profile",
  "inbox": "https://user.example/inbox/"
}
                                        

GET /profile HTTP/1.1
Host: user.example
Accept: text/html

HTTP/1.1 200 OK
Content-Type: text/html

<a href="/inbox/" rel="http://www.w3.org/ns/ldp#inbox">My inbox</a>

                                        

Following discovery, senders MUST deliver notifications through a POST request to the Inbox URL. Senders can expect a 201 Created (with a Location Link header) in response to a successful request.

The sender MAY use an OPTIONS request to determine the RDF content types accepted by the server, and serialize the notification in the request body according to the value of the Accept-Post header [Accept-Post] returned. Otherwise, the body of the POST request MUST contain the notification payload in JSON-LD with header Content-Type: application/ld+json. The Content-Type header MAY include a profile URI [RFC6906].

The sender MAY include additional headers or content for the purposes of authentication or authorization e.g., Authorization: Bearer XXX.

Request:

POST /inbox/ HTTP/1.1
Host: user.example
Content-Type: application/ld+json

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "@id": "",
  "@type": "Announce",
  "actor": { "@id": "https://example.org/profile#alice" },
  "object": { "@id": "https://example.org/annotation-1" },
  "target": { "@id": "https://user.example/article#introduction" },
  "updated": "2016-06-23T15:03:01Z"
}
                                        

Response:

HTTP/1.1 201 Created
Location: https://user.example/inbox/notification-1
                                        

Receivers MUST support GET and POST requests on the Inbox URL. In LDP terms, an Inbox is a Container.

HEAD /inbox/ HTTP/1.1
Host: user.example

HTTP/1.1 200 OK
Allow: GET, HEAD, OPTIONS, POST
Accept-Post: application/ld+json, text/turtle

POST /inbox/ HTTP/1.1
Host: user.example
Content-Type: application/ld+json

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "@id": "",
  "@type": "Announce",
  "actor": { "@id": "https://example.org/profile#alice" },
  "object": { "@id": "https://example.org/annotation-1" },
  "target": { "@id": "https://user.example/article#introduction" },
  "updated": "2016-06-23T15:03:01Z"
}

HTTP/1.1 201 Created
Location: https://user.example/inbox/notification-2
                                                

GET /inbox/ HTTP/1.1
Host: user.example
Accept: application/ld+json

HTTP/1.1 200 OK
Content-Type: application/ld+json

{
  "@context": "http://www.w3.org/ns/ldp",
  "@id": "https://user.example/inbox/",
  "contains": [
    { "@id": "https://user.example/inbox/notification-1" },
    { "@id": "https://user.example/inbox/notification-2" }
  ]
}
                                                

Consumers retrieve the URIs of notifications in an Inbox through making a GET request on the Inbox URL (to find this URL, see discovery).

The URIs of the notifications MUST be discoverable through the http://www.w3.org/ns/ldp#contains predicate of the Inbox URL (see example for Inbox content).

When retrieving the Inbox or the individual notifications, the consumer SHOULD explicitly set the Accept header to indicate preferred content types, including for JSON-LD. Fetching the notifications — if any, how many, or according to a particular criteria (e.g., content-length, timestamp) — is at the discretion of the consumer.

The consumer MAY include additional headers or content for the purposes of authentication or authorization.

Consumers MAY perform additional fetching or inferring of information from the payload (e.g., dereferencing resources referenced in the notification to fetch their contents) at their discretion.

This section is non-normative. Here are some examples of notification content:

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "@id": "https://example.org/note",
  "inReplyTo": "https://example.net/article"
}
                                                

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "@id": "",
  "@type": "Announce",
  "actor": { "@id": "https://example.org/profile#alice" },
  "object": { "@id": "https://example.org/annotation-1" },
  "target": { "@id": "https://user.example/article#introduction" },
  "updated": "2016-06-23T15:03:01Z"
}

                                                

{
  "@id": "",
  "@type": "http://purl.org/net/pingback/Item",
  "http://purl.org/net/pingback/source":
    { "@id": "https://example.org/annotation-1" },
  "http://purl.org/net/pingback/target":
    { "@id": "https://user.example/article#introduction" }
}

                                                

{
  "@context": [
    { "sioc": "http://rdfs.org/sioc/ns#" },
    { "foaf": "http://xmlns.com/foaf/0.1/" }
  ],
  "@id": "",
  "@type": "sioc:Comment",
  "sioc:reply_of": { "@id": "https://user.example/article" },
  "sioc:created_at": "2015-12-23T16:44:21Z",
  "sioc:content" : "This is a great article!",
  "sioc:has_creator": {
    "@id": "https://example.org/profile/",
    "@type": "sioc:UserAccount",
    "sioc:account_of": { "@id": "https://example.org/profile#alice" },
    "sioc:avatar": { "@id": "https://example.org/profile/avatar.png" },
    "foaf:name": "Alice"
  }
}
                                                

This section is non-normative.

Inbox URLs can announce their own constraints (e.g., SHACL, Web Annotation Protocol) via an HTTP Link header or body of the resource with a rel value of http://www.w3.org/ns/ldp#constrainedBy. Senders should comply with constraint specifications or the receiver may reject their notification and return an appropriate 4xx error code.

This section is non-normative.

Given the nature of the notification payload, consumers may want to take precautions when ascertaining the veracity of the contents. The open-world assumption applies here.

Receivers SHOULD verify the sender of the notification, for example:

• by having a whitelist of senders with write access to the Inbox
• requiring authentication to enforce receiver's knowledge of every sender
• retrieve a copy of the notification from the sender's domain to verify its origin
• checking a digital signature which accompanies the notification

Receivers SHOULD use constraints to filter unwarranted notifications from being created on the server and exposed by the Inbox. Consumers MAY also want to check the notifications against any constraints as announced by an Inbox before further processing or use.

If the sender has any services that listen on localhost that don't require authentication, it's possible for a malicious script to run at the Inbox endpoint that could cause the sender to make an arbitrary POST request to itself. Senders SHOULD NOT make POST requests to the Inbox that are localhost or a loopback IP address.

Receivers could consider implementing access control on the Inbox URL to restrict writing to a whitelist of trusted senders.

In the case of sending sensitive information, the sender should be aware that the receiver may implement access control on the Inbox that allows for public reading of the contents.

This section is non-normative.

Software that wants to retry discovery of the Inbox for a resource, or try discovery for multiple resources on the same domain, may want to follow the information in cache headers.

This section is non-normative.

Publishers of the resources advertising an Inbox (target) should do so on a server they trust. Publishers must be aware that third-party access to headers or content could result in notifications being redirected.

This section is non-normative.

This specification describes how consumers can read notifications from a receiver through pull, however consumers may want to ask to have incoming notifications or changes to Inbox's contents pushed to them. Similarly, receivers may wish to make a request for notifications from a particular sender. This kind of subscription mechanism left out of scope, but senders, receivers and consumers are not prohibited from making such an arrangement. Implementations that wish to enable subscribing may want to use existing mechanisms e.g., [ActivityPub], [PubSubHubbub], [The WebSocket Protocol], [HTTP Web Push].

• Improve examples; update, syntactical fixes, @context in https
• Typos, punctuation, naming
• Use informative discretion about the payload

• Typos, punctuation, naming
• Add Exit Criteria
• Clarify behaviour when Accept header is used and omitted
• Add a note about subject of the relation for the Link header field
• Add GET for possible Link header, clarify subject URI (for its Inbox) in target URL
• Revise Abstract
• Add consideration about target ownership
• Mention 'any resource can have its own inbox'
• Add Subscribing to Notifications section

• Fix typos and links
• Reorder sections to Sending, Receiving, Consuming
• Update examples
• Add reference to RFC7231
• Clarify wording for URI discovery
• Add sub-headings for the non-normative sections under Considerations
• Add overview diagram