Session Management#
Multi-User Web Application#
Inrupt’s Java Client Libraries can work with 3rd party libraries/frameworks that have OpenID Connect Authentication integration (for example, Spring Boot, Quarkus, etc.). These frameworks require:
client_id
andan authorization server URL (e.g.,
https://login.inrupt.com
for PodSpaces).
Refer to your framework’s documentation on OpenID Connect support.
Solid Client ID#
Inrupt’s Enterprise Solid Server (ESS) supports the use of Solid-OIDC Client Identifiers (Client IDs). The Solid-OIDC Client IDs are URLs that dereference to a JSON-LD document, the Client ID document.
The Client ID document is a JSON-LD document with:
A
@context
value ofhttps://www.w3.org/ns/solid/oidc-context.jsonld
.Fields conformant to an OIDC client registration.
For example, the following sample JSON-LD document may be found by
dereferencing the Client ID https://my-app.example.com/myappid
:
{
"@context": "https://www.w3.org/ns/solid/oidc-context.jsonld",
"client_id": "https://my-app.example.com/myappid",
"redirect_uris": ["https://my-app.example.com/callbackAfterLogin"],
"client_name": "My Sample App",
"client_uri": "https://my-app.example.com/",
"logo_uri": "https://my-app.example.com/logo.png",
"tos_uri": "https://my-app.example.com/terms.html",
"policy_uri": "https://my-app.example.com/policy.html",
"contacts": ["someone@example.com"],
"scope" : "openid offline_access webid",
"grant_types" : ["refresh_token","authorization_code"],
"post_logout_redirect_uris": [
"https://my-app.example.com/"
]
}
For more information, see Solid-OIDC Client IDs.
Authenticated Session#
From these framework, once a user has successfully authenticated, you can access the ID Token, and create an authenticated Session using OpenIdSession. For example:
import com.inrupt.client.auth.Session;
import com.inrupt.client.openid.OpenIdSession;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
//...
public Expense fetchAsUser(OidcUser authedUser, URL expenseURL) {
Session session = OpenIdSession.ofIdToken(authedUser.getIdToken().getTokenValue());
//...
}
Statically Registered Single-User App#
For applications that run on behalf of a single-user only (such as a single-user command-line app), you can statically register application if static registration is supported by your Solid Identity Provider. For example, if using the Solid Identity Provider for Inrupt’s Pod Spaces, you can statically register your application via its Application Registration page.
Static registration results in a Client ID and Client Secret pair, which can be used for Client Credentials flow.
Warning
Safeguard your Client ID
and Client Secret
values. Do not share these with any third parties as anyone with
your Client ID
and Client Secret
values can
impersonate you and act fully on your behalf.
import com.inrupt.client.auth.Session;
import com.inrupt.client.openid.OpenIdSession;
import java.net.URI;
public class MyPersonalApplication {
// For PodSpaces, the IdentityProvider is https://login.inrupt.com
public void run(String myIdentityProvider, String myClientID, String myClientSecret) {
try{
URI issuer = URI.create(myIdentityProvider);
Session session = OpenIdSession.ofClientCredentials(
issuer,
myClientID,
myClientSecret,
"client_secret_basic");
// ... Perform operations as the user who registered the app
} catch (Exception e) {
//...
}
}
}
Session with Access Grants#
To use Access Requests and Grants, applications uses both Access Grant(s) and an OpenID-based session to build an AccessGrantSession. For example:
AccessGrant grant = // ....;
Session myOpenIDSession = OpenIdSession.ofIdToken(idToken);
Session myAccessGrantSession = AccessGrantSession.ofAccessGrant(myOpenIDSession, grant);
For information on access grants, see Access Requests and Grants.