Solid OpenID Connect Service

Inrupt’s Solid OpenID Connect Service provides a compatibility layer between Solid that identifies users with a WebID and traditional OpenID Connect (OIDC) applications that identify users with strings. The Solid OpenID Connect Service allows a Solid user to login with any existing OIDC-compliant identity provider.

See also:

• Authentication

Identity Broker/WebID

Generally, the first time a user logs into Inrupt’s Enterprise Solid Server, a new Pod is provisioned for this user. This process includes creating a WebID for the user and assigning access permissions for this WebID.

WebID Construction (Inrupt’s Identity Broker)

Defining the WebID of a user or agent is the responsibility of the identity provider. On ESS, the user’s Pod URL and WebID have the following pattern:

• For the Pod URL, append the username to the domain; i.e., https://<domain>/<username>/.

• For the WebID, append /profile/card#me to the Pod URL; i.e., https://<domain>/<username>/profile/card#me.

For example, if a user has the username alice with an existing identity provider, then ESS creates the following Pod and WebID for this user (assuming the pods.example.com as the ESS domain):

Pod URL	https://pods.example.com/alice/
WebID	https://pods.example.com/alice/profile/card#me.

Solid OpenID Connect Service Configuration

Required Settings

The following configuration properties (listed as environment variables) are required:

INRUPT_OPENID_ISSUER

The URL of the OpenID issuer. The installation script automatically sets this value.

QUARKUS_OIDC_AUTH_SERVER_URL

The URL of your OIDC authentication server. The installation script prompts for this value.

QUARKUS_OIDC_CLIENT_ID

Your OIDC client ID. The installation script prompts for this value.

QUARKUS_OIDC_CREDENTIALS_SECRET

Your OIDC credentials. The installation script prompts for this value.

SMALLRYE_JWT_SIGN_KEY_LOCATION

Path to your JWT Key location. The installation script automatically sets this value.

Optional Settings

The following settings are optional:

COM_INRUPT_OPENID_CDI_DEFAULTCLIENTRESOLVERSERVICE_FETCHREMOTECLIENT_TIMEOUT_VALUE

Default: 10

The maximum time to wait for the client resolver to fetch remote application identifiers.

See also COM_INRUPT_OPENID_CDI_DEFAULTCLIENTRESOLVERSERVICE_FETCHREMOTECLIENT_TIMEOUT_UNIT for the time unit.

COM_INRUPT_OPENID_CDI_DEFAULTCLIENTRESOLVERSERVICE_FETCHREMOTECLIENT_TIMEOUT_UNIT

Default: SECONDS

Valid values are the ChronoUnit Enum Constants constants as strings; e.g., SECONDS, MINUTES, HOURS, etc.

See also COM_INRUPT_OPENID_CDI_DEFAULTCLIENTRESOLVERSERVICE_FETCHREMOTECLIENT_TIMEOUT_VALUE for the amount of time.

INRUPT_OPENID_ACCESS_TOKEN_SUB

Default: false

A boolean flag that specifies whether to include a subject sub claim in the user’s access token. Set to true to include.

INRUPT_OPENID_APPROVAL_TEMPLATE_LOCATION

The location of a custom approval HTML page to be shown as part of the login flow. Leave unset to use the default approval page. For an example of setting a custom approval page, see Customize Approval Page.

INRUPT_OPENID_CLIENT_DOMAIN_ALLOWLIST

A comma-delimited list of allowed domains for application identifiers (e.g., https://registry.example/,https://apps.example/registry/).

If set, only the listed domains are allowed for application identifiers unless the domain is also denied in the INRUPT_OPENID_CLIENT_DOMAIN_DENYLIST. If unset, all domains are allowed for appliction identifiers with the exception of any domains listed in the INRUPT_OPENID_CLIENT_DOMAIN_DENYLIST configuration.

See also INRUPT_OPENID_CLIENT_DOMAIN_DENYLIST

INRUPT_OPENID_CLIENT_DOMAIN_DENYLIST

A comma-delimited list of domains that are not acceptable for application identifiers (e.g., https://registry.example/,https://apps.example/registry/).

If set, application identifiers from the listed domains are not allowed. If unset, all domains are allowed unless INRUPT_OPENID_CLIENT_DOMAIN_ALLOWLIST is set.

INRUPT_OPENID_CUSTOM_CLAIMS

Comma-delimited mapping of custom claims to OAuth2 scopes having the form <claim1>=<scope1>,<claim2>=<scope2>,... (e.g., appid=myapp,avatar=myapp,pet=myapp).

INRUPT_OPENID_JWT_ALTERNATIVE_PUBLIC_KEY_LOCATIONS

A comma-delimited list of paths to alternative keys to include in the service’s public JSON Web Key Set. The property may be useful when rotating signing keys while continuing to support the verification of older signatures.

INRUPT_OPENID_LOGOUT_URL

If the backing authorization server does not support OpenID-based logout but does have a custom logout endpoint, that value can be defined with this configuration.

Do not use this setting with ``QUARKUS_OIDC_LOGOUT_PATH``.

INRUPT_OPENID_POD_REGISTRATION_URL

Specifies the Pod registration URL (e.g., https://pod.server.example/register) for provisioning a Pod during the post_consent stage of authentication.

When integrating with ESS, this setting is required.

INRUPT_OPENID_POD_REGISTRATION_AGENT

The WebID of the agent if provisioning a Pod during the post_consent stage of authentication.

When integrating with ESS, this setting is required.

INRUPT_OPENID_SCHEDULED_TASKS

Default: 300s (every 300 seconds)

The interval at which to run scheduled jobs in the background. The value is a string that specifies the number of seconds followed by the letter s.

This configuration is only relevant for PostgreSQL-based deployments.

INRUPT_OPENID_SCOPES

A comma-delimited list of OAuth2 scopes (e.g., openid,offline_access) available for client applications.

INRUPT_OPENID_USER_CLAIM_NAME

By default, WebID values are derived from the sub claim in the ID tokens produced by the backing identity provider. If a different claim is to be used, that should be set with this configuration.

For example, if the identity provider produces tokens with a user_id claim, this setting will use that claim instead of the sub claim when generating WebID values.

Care should be taken when using this setting. An operator should ensure that values in this claim are unique across the corresponding user pool.

INRUPT_OPENID_WEBHOOK_POST_CONSENT_URL

The URL to which the post_consent Webhook sends data. The data sent includes:

• OIDC issuer claim

• OIDC subject claim

• Solid WebID claim

• Authentication stage (e.g., post_consent)

This can be used with an external auditing system that keeps track of all OpenId-based user consent agreements.

INRUPT_OPENID_WEBHOOK_POST_CONSENT_AUTH

When the INRUPT_OPENID_WEBHOOK_POST_CONSENT_URL configuration is used with endpoints that require authentication, this setting can be used to populate an Authorization header in those requests.

INRUPT_OPENID_WEBID_SUBJECT_PREFIX

A user’s WebID value is formed from either the sub claim from the backing identity provider or from another claim (via the INRUPT_OPENID_USER_CLAIM_NAME setting). This setting makes it possible to prefix these incoming values with a supplied string.

For example, if the identity provider generates ID tokens with a sub claim of 123456, a WebID URL might otherwise be formed as https://pod.server.example/123456/profile/card#me. With this setting, a prefix of user_ would result in WebID values taking this form: https://pod.server.example/user_123456/profile/card/#me.

Care should be taken with this value. An operator should not change this after users have begun provisioning Pods with their WebID.

QUARKUS_OIDC_AUTHENTICATION_SCOPES

A comma-delimited list of OAuth2 scopes (e.g., openid,offline_access) available from the the backend.

QUARKUS_DATASOURCE_JDBC_URL

The URL of the datasource. This is only relevant for PostgreSQL-based deployments.

For more information, see https://quarkus.io/guides/datasource#quarkus-agroal_quarkus.datasource.jdbc.url

QUARKUS_OIDC_LOGOUT_PATH

If the backing identity provider supports user-initiated logout, as defined by the OpenID Connect specification, this property can be used to define the path where logout is initiated. For example, if this service is running at https://id.example, a logout path of /logout would set the url https://id.example/logout as the logout path for the application.

This configuration should not be used if the backing identity provider does not support OpenID Connect-based logout.

For more information, see https://quarkus.io/guides/security-openid-connect#quarkus-oidc_quarkus.oidc.logout.path.

QUARKUS_OIDC_LOGOUT_POST_LOGOUT_PATH

If QUARKUS_OIDC_LOGOUT_PATH is used, this value must be set as /endsession.

SMALLRYE_JWT_NEW_TOKEN_LIFESPAN

Default: 300

The number of seconds before access tokens and ID tokens expire.

Configure Solid OpenID Connect Service

To update the configuration, you can use Kustomize overlays. For examples, see

• Customize Approval Page

• Logging

For additional information and examples on customizing ESS, see Customize ESS.