Session Management#

Multi-User Web Application#

Inrupt’s Java Client Libraries can work with 3rd party libraries/frameworks that have OpenID Connect Authentication integration (for example, Spring Boot, Quarkus, etc.). These frameworks require:

  • client_id and

  • an authorization server URL (e.g., for PodSpaces).

Refer to your framework’s documentation on OpenID Connect support.

Solid Client ID#

Inrupt’s Enterprise Solid Server (ESS) supports the use of Solid-OIDC Client Identifiers (Client IDs). The Solid-OIDC Client IDs are URLs that dereference to a JSON-LD document, the Client ID document.

The Client ID document is a JSON-LD document with:

  • A @context value of

  • Fields conformant to an OIDC client registration.

For example, the following sample JSON-LD document may be found by dereferencing the Client ID

  "@context": "",
  "client_id": "",
  "redirect_uris": [""],
  "client_name": "My Sample App",
  "client_uri": "",
  "logo_uri": "",
  "tos_uri": "",
  "policy_uri": "",
  "contacts": [""],
  "scope" : "openid offline_access webid",
  "grant_types" : ["refresh_token","authorization_code"],
  "post_logout_redirect_uris": [

For more information, see Solid-OIDC Client IDs.

Authenticated Session#

From these framework, once a user has successfully authenticated, you can access the ID Token, and create an authenticated Session using OpenIdSession. For example:

import com.inrupt.client.auth.Session;
import com.inrupt.client.openid.OpenIdSession;

public Expense fetchAsUser(OidcUser authedUser, URL expenseURL) {
    Session session = OpenIdSession.ofIdToken(authedUser.getIdToken().getTokenValue());

Statically Registered Single-User App#

For applications that run on behalf of a single-user only (such as a single-user command-line app), you can statically register application if static registration is supported by your Solid Identity Provider. For example, if using the Solid Identity Provider for Inrupt’s Pod Spaces, you can statically register your application via its Application Registration page.

Static registration results in a Client ID and Client Secret pair, which can be used for Client Credentials flow.


Safeguard your Client ID and Client Secret values. Do not share these with any third parties as anyone with your Client ID and Client Secret values can impersonate you and act fully on your behalf.

import com.inrupt.client.auth.Session;
import com.inrupt.client.openid.OpenIdSession;

public class MyPersonalApplication {

    // For PodSpaces, the IdentityProvider is

    public void run(String myIdentityProvider, String myClientID, String myClientSecret) {

          URI issuer = URI.create(myIdentityProvider);
          Session session = OpenIdSession.ofClientCredentials(

          // ... Perform operations as the user who registered the app

       } catch (Exception e) {

Session with Access Grants#

To use Access Requests and Grants, applications uses both Access Grant(s) and an OpenID-based session to build an AccessGrantSession. For example:

AccessGrant grant = // ....;
Session myOpenIDSession = OpenIdSession.ofIdToken(idToken);

Session myAccessGrantSession = AccessGrantSession.ofAccessGrant(myOpenIDSession, grant);

For information on access grants, see Access Requests and Grants.