Sessions#
OpenID Sessions for Multi-User Web Application#
Inrupt’s Java Client Libraries can work with 3rd party libraries/frameworks that support OpenID Connect and OAuth2 (for example, Spring Security, Quarkus). To support the OIDC login flow, these frameworks typically require you to configure:
a
client_id
[1] andan OpenID provider (e.g.,
https://login.inrupt.com
for PodSpaces).
To login/logout your users, refer to your framework’s documentation on OpenID Connect support.
Authenticated Session#
Once a user has successfully logged in [2], you can access the ID Token from your framework, and create an authenticated Session using the OpenIdSession class. For example:
import com.inrupt.client.auth.Session;
import com.inrupt.client.openid.OpenIdSession;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
//...
public Expense fetchAsUser(OidcUser authedUser, URL expenseURL) {
Session session = OpenIdSession.ofIdToken(authedUser.getIdToken().getTokenValue());
//...
}
Tip
In multi-user contexts, multiple sessions in a single application must be managed to ensure that one user’s session is not used by another user. See Session Management for more information.
To clear cached credential data from the session, use Session.reset().
To login/logout your users, refer to your framework’s documentation on OpenID Connect support.
OpenID Sessions for Statically Registered Single-User App#
For applications that run on behalf of a single-user only (such as a single-user command-line app), you can statically register application if static registration is supported by your Solid Identity Provider. For example, if using the Solid Identity Provider for Inrupt’s Pod Spaces, you can statically register your application via its Application Registration page.
Static registration results in a Client ID and Client Secret pair, which can be used for Client Credentials flow.
Warning
Safeguard your Client ID
and Client Secret
values. Do not share these with any third parties as anyone with
your Client ID
and Client Secret
values can
impersonate you and act fully on your behalf.
import com.inrupt.client.auth.Session;
import com.inrupt.client.openid.OpenIdSession;
import java.net.URI;
public class MyPersonalApplication {
// For PodSpaces, the IdentityProvider is https://login.inrupt.com
public void run(String myIdentityProvider, String myClientID, String myClientSecret) {
try{
URI issuer = URI.create(myIdentityProvider);
Session session = OpenIdSession.ofClientCredentials(
issuer,
myClientID,
myClientSecret,
"client_secret_basic");
// ... Perform operations as the user who registered the app
} catch (Exception e) {
//...
}
}
}
To clear cached credential data from the session, use Session.reset().
Sessions for Access Grants#
To use Access Requests and Grants, applications uses both Access Grant(s) and an OpenID-based session to build an AccessGrantSession. For example:
AccessGrant grant = // ....;
Session myOpenIDSession = OpenIdSession.ofIdToken(idToken);
Session myAccessGrantSession = AccessGrantSession.ofAccessGrant(myOpenIDSession, grant);
To clear cached credential data from the session, use Session.reset().
For information on access grants, see Access Requests and Grants.