Authentication#

An authentication system determines the identity of a user or agent and the level of trust associated with this identity.

OpenID Connect (OIDC) defines a standard mechanism by which a web application leads a user through a login flow. The flow results in a signed JSON web token (JWT) that asserts the identity of the user.

Identity#

WebID#

Solid builds on the OpenID Connect specificiations. Rather than representing the identity of a user with any string (e.g., user1234), Solid identifies users with a URL that can be dereferenced as a WebID profile (e.g., https://domain.com/user1234). The WebID profile resource makes claims about trusted identity providers that can legitimately issue signed JSON web token on behalf of this WebID.

Signed Access Token#

An important part of this trust model is based on the signed JSON web token. A Pod server can verify that the token signature is legitimate by using a well-defined protocol that is part of the OIDC specification. If the signature is not valid or if the token has expired, a client will be denied access to a Pod.

Demonstration of Proof-of-Possession (DPoP) Token#

As an additional layer of protection against token stealing and various replay attacks, Solid clients send an additional token (specifically a DPoP token) that cryptographically proves that the client is in legitimate possession of the access token while also scoping the request to a particular Pod resource. This helps prevent against token exfiltration attacks.

Ultimately, this results in sending a trustworthy access token, along with a DPoP token, to a Pod server that unambiguously identifies a user or agent.

Solid OIDC Broker Service#

ESS’s Solid OpenID Connect (OIDC) Broker Service provides a compatibility layer between Solid that identifies users with a WebID and traditional OpenID Connect (OIDC) applications that identify users with strings. The Solid OIDC Broker Service allows a Solid user to login with any existing OIDC-compliant identity provider.