An authentication system determines the identity of a user or agent and the level of trust associated with this identity.
OpenID Connect (OIDC) defines a standard mechanism by which a web application leads a user through a login flow. The flow results in a signed JSON web token (JWT) that asserts the identity of the user.
Solid builds on the OpenID Connect specificiations. Rather than
representing the identity of a user with any string (e.g.,
user1234), Solid identifies users with a URL that can be
dereferenced as a WebID profile (e.g.,
https://domain.com/user1234). The WebID profile resource makes
claims about trusted identity providers that can legitimately issue
signed JSON web token on behalf of this WebID.
Signed Access Token#
An important part of this trust model is based on the signed JSON web token. A Pod server can verify that the token signature is legitimate by using a well-defined protocol that is part of the OIDC specification. If the signature is not valid or if the token has expired, a client will be denied access to a Pod.
Demonstration of Proof-of-Possession (DPoP) Token#
As an additional layer of protection against token stealing and various replay attacks, Solid clients send an additional token (specifically a DPoP token) that cryptographically proves that the client is in legitimate possession of the access token while also scoping the request to a particular Pod resource. This helps prevent against token exfiltration attacks.
Ultimately, this results in sending a trustworthy access token, along with a DPoP token, to a Pod server that unambiguously identifies a user or agent.
Solid OIDC Broker Service#
ESS’s Solid OpenID Connect (OIDC) Broker Service provides a compatibility layer between Solid that identifies users with a WebID and traditional OpenID Connect (OIDC) applications that identify users with strings. The Solid OIDC Broker Service allows a Solid user to login with any existing OIDC-compliant identity provider.