Authentication

An authentication system determines the identity of a user or agent and the level of trust associated with this identity.

For authentication, the ESS Solid OIDC Broker Service implements the Solid-OIDC specification. Solid-OIDC specification builds upon the OpenID Connect standards, which itself builds on the OAuth 2.0 authorization framework.

• OAuth 2.0 defines a framework for authorization, in which a client obtains an access token to obtain access to resources.

• OpenID Connect defines a standard mechanism by which a web application leads a user through a login flow. The login flow results in a signed ID token, which is a JSON Web Token (JWT) that asserts the identity of the user.

  Since OpenID Connect builds on the OAuth 2.0 framework, OpenID Connect flow produces both access tokens and ID tokens. As the token names suggest, access tokens are generally used to gain access to resources whereas ID tokens are used to identify a user.

Identity

WebID

Rather than representing the identity of users with any string (e.g., user1234, etc.), Solid identifies users with a WebID. A WebID is a URL (e.g., https://id.<ESS Domain>.com/user1234) that can be dereferenced to an RDF profile document.

ESS includes a WebID Service. WebIDs issued by ESS have the form:

https://id.<ESS DOMAIN>/<username>

Client Identifier (Client ID)

In Solid-OIDC (i.e., in OAuth 2.0 and OpenID Connect), an application identifies itself using a client identifier (Client ID).

A Client ID can be:

• a URL that dereferences to a Client ID Document.

• a value that has been registered using either OIDC dynamic or static registration.

Solid-OIDC Client ID Document

Inrupt’s Enterprise Solid Server (ESS) supports Client Identifiers (Client IDs) that are of type URL and dereference to a JSON-LD document, the Client ID Document.

Allow List of Client IDs

In ESS, the use of Client IDs (URLs) also allows you to decide not only who has access to your data but also which applications are used to access your data.

For example, operators can use Client IDs to specify:

• INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST. INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST determines which applications can modify the Access Control Resource (i.e., which applications can modify the Access Control Policies for Pod resources)

  This list is also used to initialize a Pod’s access policies.

• INRUPT_VC_CLIENT_ID_ALLOW_LIST. INRUPT_VC_CLIENT_ID_ALLOW_LIST determines which applications can access /issue Endpoint and /status Endpoint.

Client Registration

For applications that do not use identifiers that dereference to a Client ID Document, they can register with ESS’ Solid OIDC Broker service (the Broker).

To register, a client provides various metadata about itself as part of its registration request (see RFC7591: 3.1 Client Registration Request).

Upon successful registration, the Broker responds with a unique client_id. The response may include additional fields. For details, see RFC7591: 3.2 Client Registration Responses.

Dynamic Registration

To dynamically register an application POSTs to the Broker’s client registration_endpoint with the client’s metadata.

Tip

To determine if the Broker supports dynamic client registration, check its /.well-known/openid-configuration for the registration_endpoint field.

Inrupt’s JavaScript client libraries provide login APIs that handle dynamic registration of applications.

Static Registration

ESS supports static registration of client applications associated with a user (i.e., WebID). Static registration results in client credentials (i.e., client_id and client_secret).

Single-user scripts and bots can use these client credentials to authenticate (on behalf of the user) without requiring browser-based user interactions with the Identity Provider.

For details, see Application Registration.

Tokens

As part of the ESS login flow, which implements the Solid-OIDC specification, ESS’ Solid OIDC Broker Service issues ID tokens and access tokens.

ID Tokens

An ID token asserts the identity of the user and is represented as a JSON Web Token (JWT).

ID Token Structure

The OpenID specification defines an extensible data structure for ID Tokens. This data structure is serialized as a JSON Web Token.

See also Broker Token Claims.

Lifespan

ESS ID tokens have a default lifespan of 5 minutes (see SMALLRYE_JWT_NEW_TOKEN_LIFESPAN).

Signed Access Token

The ESS login flow results in signed access tokens. Access tokens provide access to resources. An access token issued by ESS is represented as a JSON Web Token (JWT).

ESS verifies the token signature and that the token has not expired. An invalid token cannot be used to gain access to resources.

Signed Access Token Structure

ESS uses the JWT-based structure for access tokens.

See also Broker Token Claims.

Lifespan

ESS access tokens have a default lifespan of 5 minutes (see SMALLRYE_JWT_NEW_TOKEN_LIFESPAN).

Demonstration of Proof-of-Possession (DPoP) Token

As an additional layer of protection against token stealing and various replay attacks, Solid clients can send an additional HTTP header (specifically a DPoP proof).

A DPoP proof can be used to verify that a client is in legitimate possession of an access token while also scoping the request to a particular Pod resource. This helps prevent against token exfiltration attacks.

ESS uses version 00 of DPoP.