Solid OpenID Connect Service#

Inrupt’s Solid OpenID Connect Service provides a compatibility layer between Solid that identifies users with a WebID and traditional OpenID Connect (OIDC) applications that identify users with strings. The Solid OpenID Connect Service allows a Solid user to login with any existing OIDC-compliant identity provider.

See also:

Identity Broker/WebID#

Generally, the first time a user logs into Inrupt’s Enterprise Solid Server, a new Pod is provisioned for this user. This process includes creating a WebID for the user and assigning access permissions for this WebID.

WebID Construction (Inrupt’s Identity Broker)#

Defining the WebID of a user or agent is the responsibility of the identity provider. On ESS, the user’s Pod URL and WebID have the following pattern:

  • For the Pod URL, append the username to the domain; i.e., https://<domain>/<username>/.

  • For the WebID, append /profile/card#me to the Pod URL; i.e., https://<domain>/<username>/profile/card#me.

For example, if a user has the username alice with an existing identity provider, then ESS creates the following Pod and WebID for this user (assuming the as the ESS domain):



Solid OpenID Connect Service Configuration#

Required Settings#

The following configuration properties (listed as environment variables) are required:


The URL of the OpenID issuer. The installation script automatically sets this value.


The URL of your OIDC authentication server. The installation script prompts for this value.


Your OIDC client ID. The installation script prompts for this value.


Your OIDC credentials. The installation script prompts for this value.


Path to your JWT Key location. The installation script automatically sets this value.

Optional Settings#

The following settings are optional:


Default: 10

The maximum time to wait for the client resolver to fetch remote application identifiers.



Default: SECONDS

Valid values are the ChronoUnit Enum Constants constants as strings; e.g., SECONDS, MINUTES, HOURS, etc.



Default: false

A boolean flag that specifies whether to include a subject sub claim in the user’s access token. Set to true to include.


The location of a custom approval HTML page to be shown as part of the login flow. Leave unset to use the default approval page. For an example of setting a custom approval page, see Customize Approval Page.


A comma-delimited list of allowed domains for application identifiers (e.g., https://registry.example/,https://apps.example/registry/).

If set, only the listed domains are allowed for application identifiers unless the domain is also denied in the INRUPT_OPENID_CLIENT_DOMAIN_DENYLIST. If unset, all domains are allowed for appliction identifiers with the exception of any domains listed in the INRUPT_OPENID_CLIENT_DOMAIN_DENYLIST configuration.



A comma-delimited list of domains that are not acceptable for application identifiers (e.g., https://registry.example/,https://apps.example/registry/).

If set, application identifiers from the listed domains are not allowed. If unset, all domains are allowed unless INRUPT_OPENID_CLIENT_DOMAIN_ALLOWLIST is set.


Comma-delimited mapping of custom claims to OAuth2 scopes having the form <claim1>=<scope1>,<claim2>=<scope2>,... (e.g., appid=myapp,avatar=myapp,pet=myapp).


A comma-delimited list of paths to alternative keys to include in the service’s public JSON Web Key Set. The property may be useful when rotating signing keys while continuing to support the verification of older signatures.


If the backing authorization server does not support OpenID-based logout but does have a custom logout endpoint, that value can be defined with this configuration.

Do not use this setting with ``QUARKUS_OIDC_LOGOUT_PATH``.


Specifies the Pod registration URL (e.g., https://pod.server.example/register) for provisioning a Pod during the post_consent stage of authentication.

When integrating with ESS, this setting is required.


The WebID of the agent if provisioning a Pod during the post_consent stage of authentication.

When integrating with ESS, this setting is required.


Default: 300s (every 300 seconds)

The interval at which to run scheduled jobs in the background. The value is a string that specifies the number of seconds followed by the letter s.

This configuration is only relevant for PostgreSQL-based deployments.


A comma-delimited list of OAuth2 scopes (e.g., openid,offline_access) available for client applications.


By default, WebID values are derived from the sub claim in the ID tokens produced by the backing identity provider. If a different claim is to be used, that should be set with this configuration.

For example, if the identity provider produces tokens with a user_id claim, this setting will use that claim instead of the sub claim when generating WebID values.

Care should be taken when using this setting. An operator should ensure that values in this claim are unique across the corresponding user pool.


The URL to which the post_consent Webhook sends data. The data sent includes:

  • OIDC issuer claim

  • OIDC subject claim

  • Solid WebID claim

  • Authentication stage (e.g., post_consent)

This can be used with an external auditing system that keeps track of all OpenId-based user consent agreements.


When the INRUPT_OPENID_WEBHOOK_POST_CONSENT_URL configuration is used with endpoints that require authentication, this setting can be used to populate an Authorization header in those requests.


A user’s WebID value is formed from either the sub claim from the backing identity provider or from another claim (via the INRUPT_OPENID_USER_CLAIM_NAME setting). This setting makes it possible to prefix these incoming values with a supplied string.

For example, if the identity provider generates ID tokens with a sub claim of 123456, a WebID URL might otherwise be formed as https://pod.server.example/123456/profile/card#me. With this setting, a prefix of user_ would result in WebID values taking this form: https://pod.server.example/user_123456/profile/card/#me.

Care should be taken with this value. An operator should not change this after users have begun provisioning Pods with their WebID.


A comma-delimited list of OAuth2 scopes (e.g., openid,offline_access) available from the the backend.


The URL of the datasource. This is only relevant for PostgreSQL-based deployments.

For more information, see


If the backing identity provider supports user-initiated logout, as defined by the OpenID Connect specification, this property can be used to define the path where logout is initiated. For example, if this service is running at https://id.example, a logout path of /logout would set the url https://id.example/logout as the logout path for the application.

This configuration should not be used if the backing identity provider does not support OpenID Connect-based logout.

For more information, see


If QUARKUS_OIDC_LOGOUT_PATH is used, this value must be set as /endsession.


Default: 300

The number of seconds before access tokens and ID tokens expire.

Configure Solid OpenID Connect Service#

To update the configuration, you can use Kustomize overlays. For examples, see

For additional information and examples on customizing ESS, see Customize ESS.