Flatpak paid apps and private repos design document

[Damián Nohales]

I'm Damián from Endless, I'm working with my team to add purchasing
support for Flatpak in a way that is useful for us and to the whole
Flatpak ecosystem, you probably remember some discussion that happened
here:

https://lists.freedesktop.org/archives/flatpak/2019-April/001545.html
https://lists.freedesktop.org/archives/flatpak/2019-May/001584.html

Right now we have a document where we are sketching the design and we
define the most relevant components and how we expect to work.
Basically we opted to use what we call an "Authenticator" which is a
D-Bus service able to generate tokens, using an API server (we call it
"Auth Server"), to then be used when pulling the refs. We added some
new options to the remote, two of them are used to tell Flatpak which
"Authenticator" should call for tokens, and a third option which is
the public key used to verify the token (the private part is going to
be part of the token authority, normally the "Auth Server").

In addition to this, the "Authenticator" is also able to give
information about the purchases the user has made and the status of
its subscriptions to apps, so that information can be reflected in
GNOME Software and other App Centers.

The "Authenticator" is also in charge of deciding what kind of
credentials must be used during the "Auth Server" communication, the
general idea is to have a well defined and generic D-Bus interface for
the "Authenticator" but allow the implementation to be as flexible as
we can.

The document is here and its open to comments. You can read everything
but the design starts in the "Terminology" section, so you can skip to
there.

https://docs.google.com/document/d/1zE_QbB6mtdhjH5bsFdf9kPrYvjKAMBRl4uSRYDt-BqQ/edit?usp=sharing

There are intentions to do peer review of this design during GUADEC's
BoF, so I think a first round of review would be nice to have
something more solid for GUADEC.

Thanks a lot!

-- 
Damián Nohales  |  Endless