Solid OIDC Broker Service#

Inrupt’s Solid OIDC Broker Service provides a compatibility layer between Solid that identifies users with a WebID and traditional OpenID Connect (OIDC) applications that identify users with strings. The Solid OIDC Broker Service allows a Solid user to login with any existing OIDC-compliant identity provider.

Solid OIDC Broker Service Configuration#

To configure the Solid OIDC Broker service, modify the parameters in the The parameters included in the bundled configuration for this service can be updated by editing the Kubernetes YAML file:

$RELEASE_DIR/deployment/kubernetes/aws/05_deployments/oidc-deployment.yaml

Configure Logging and Auditing#

Logging and auditing are configured through Quarkus. To configure logging and auditing for the Solid OIDC Broker Service , see Logging.

Identity Broker/WebID Customization#

Generally, the first time a user logs into Inrupt’s Enterprise Solid Server, a new Pod is provisioned for this user. This process includes creating a WebID for the user and assigning access permissions for this WebID.

Default WebID Construction (Inrupt’s Identity Broker)#

Defining the WebID of a user or agent is the responsibility of the identity provider. For systems that use the Inrupt’s Identity Broker with an existing identity provider, the user’s Pod URL and WebID have the following pattern:

For the Pod URL, append the username to the domain; i.e., https://<domain>/<username>.
For the WebID, append /profile/card#me to the Pod URL; i.e., https://<domain>/<username>/profile/card#me.

For example, if a user has the username alice with an existing identity provider, then the Inrupt Identity Broker defines the following Pod and WebID for this user (assuming the pods.example.com as the server domain):

Pod URL	`https://pods.example.com/alice/`
WebID	`https://pods.example.com/alice/profile/card#me`.

Custom WebID Construction (Custom Solid Identity Broker)#

Inrupt provides a Apache Maven archetype/template that can be used to create a new identity broker with customized mapping of usernames to Pod URLs and WebID locations.

To use this archetype requires the following:

Java 11 development environment
Apache Maven
Access token to the Inrupt release repository.

To develop a custom identity broker from the template:

Add the following <server> and <profile> elements into your project’s ~/.m2/settings.xml, substituting your token value for {TOKEN}:

<settings>
  ...
  <servers>
    <server>
      <id>inrupt</id>
      <username>inrupt/release</username>
      <password>{TOKEN}</password>
    </server>
  </servers>
  <profiles>
    <profile>
      <id>inrupt-archetype</id>
      <repositories>
        <repository>
          <id>inrupt</id>
          <url>https://download.software.inrupt.com/basic/release/maven/</url>
        </repository>
      </repositories>
    </profile>
  </profiles>
  ...
</settings>

Run the following command to build the project template:
```
mvn archetype:generate \
  -DarchetypeGroupId=com.inrupt \
  -DarchetypeArtifactId=inrupt-oidc-archetype \
  -DarchetypeVersion=1.0.0 \
  -Pinrupt-archetype
```
The operation generates the new project in interactive mode, prompting for values related to the structure of the new project. Enter the values for the prompted properties.

After the command completes, the newly generated project for building identity broker includes, among other files, a single Java class, called CustomizedWebIdMapper as well as a Docker configuration file.
To customize the Pod URL and WebID mapping, you can modify the following CustomizedWebIdMapper methods:
- String createWebId(String subject, String issuer, OAuth2Authentication authentication);
- String createPodName(String subject, String issuer, OAuth2Authentication authentication);
The methods have the following parameters:
- subject and issuer parameters are values provided by the backend identity server as part of the OIDC ID token it generated.
- The authentication parameter is available to access other values. The OAuth2Authentication class is defined by the spring-security-oauth2 artifact.
Afer the identity broker has been customized, it is the responsibility of the developer to manage any deployment or containerization. The Docker configuration file provided as part of the project can be customized for this purpose.

For general information on Maven archetypes, see https://maven.apache.org/guides/introduction/introduction-to-archetypes.html.

Identity Provider Allow List#

To configure an IdP allow list, edit the $RELEASE_DIR/deployment/kubernetes/aws/03_config/ess-config.yaml.

Specifically, edit the INRUPT_JWKS_TRUSTED_KEYSET_LOCATIONS value in the file. Set the property to a comma-delimited list of the Identity Providers’ JSON Web Key sets expressed as URIs (i.e., a comma-delimited list of their jwks_uri values).