Solid OpenID Connect Service

Inrupt’s Solid OpenID Connect Service provides a compatibility layer between Solid that identifies users with a WebID and traditional OpenID Connect (OIDC) applications that identify users with strings. The Solid OpenID Connect Service allows a Solid user to login with any existing OIDC-compliant identity provider.

See also:

Solid OpenID Connect Service Configuration

Required Settings

The following configuration properties (listed as environment variables) are required:

INRUPT_OPENID_ISSUER

The URL of the OpenID issuer. The installation script automatically sets this value.

Corresponding system property: inrupt.openid.issuer

QUARKUS_OIDC_AUTH_SERVER_URL

The URL of your OIDC authentication server. The installation script prompts for this value.

Corresponding system property: quarkus.oidc.auth-server-url

QUARKUS_OIDC_CLIENT_ID

Your OIDC client ID. The installation script prompts for this value.

Corresponding system property: quarkus.oidc.client-id

QUARKUS_OIDC_CREDENTIALS_SECRET

Your OIDC credentials. The installation script prompts for this value.

Corresponding system property: quarkus.oidc.credentials.secret

SMALLRYE_JWT_SIGN_KEY_LOCATION

Path to your JWT Key location. The installation script automatically sets this value.

Corresponding system property: smallrye.jwt.sign.key-location

Optional Settings

The following settings are optional:

COM_INRUPT_OPENID_CDI_DEFAULTCLIENTRESOLVERSERVICE_FETCHREMOTECLIENT_TIMEOUT_VALUE

Default: 10

The maximum time to wait for the client resolvers to identify clients.

See also COM_INRUPT_OPENID_CDI_DEFAULTCLIENTRESOLVERSERVICE_FETCHREMOTECLIENT_TIMEOUT_UNIT for the time unit.

Corresponding system property: com.inrupt.openid.cdi.DefaultClientResolverService/fetchRemoteClient/Timeout/value

COM_INRUPT_OPENID_CDI_DEFAULTCLIENTRESOLVERSERVICE_FETCHREMOTECLIENT_TIMEOUT_UNIT

Default: SECONDS

Valid values are the ChronoUnit Enum Constants constants as strings; e.g., SECONDS, MINUTES, HOURS, etc.

See also COM_INRUPT_OPENID_CDI_DEFAULTCLIENTRESOLVERSERVICE_FETCHREMOTECLIENT_TIMEOUT_VALUE for the amount of time.

Corresponding system property: com.inrupt.openid.cdi.DefaultClientResolverService/fetchRemoteClient/Timeout/unit

INRUPT_OPENID_ACCESS-TOKEN-SUB

Default: false

A boolean flag that specifies whether to include a subject sub claim in the user’s access token. Set to true to include.

Corresponding system property: inrupt.openid.access-token-sub

INRUPT_OPENID_APPROVAL_TEMPLATE-LOCATION

The location of a custom approval HTML page to be shown as part of the login flow. Leave unset to use the default approval page. For an example of setting a custom approval page, see Customize Approval Page.

Corresponding system property: inrupt.openid.approval.template-location

INRUPT_OPENID_CLIENT-DOMAIN-ALLOWLIST

A comma-delimited list of allowed client domains (e.g., https://registry.example/,https://apps.example/registry/).

If set, only the listed client domains are allowed unless also denied in the INRUPT_OPENID_CLIENT-DOMAIN-DENYLIST. If unset, all client domains are allowed with the exception of any domains listed in the INRUPT_OPENID_CLIENT-DOMAIN-DENYLIST.

See also INRUPT_OPENID_CLIENT-DOMAIN-DENYLIST

Corresponding system property: inrupt.openid.client-domain-allowlist

INRUPT_OPENID_CLIENT-DOMAIN-DENYLIST

A comma-delimited list of denied client domains (e.g., https://registry.example/,https://apps.example/registry/).

If set, the listed client domains are not allowed. If unset, all client domains are allowed unless INRUPT_OPENID_CLIENT-DOMAIN-ALLOWLIST is set.

Corresponding system property: inrupt.openid.client-domain-denylist

INRUPT_OPENID_CUSTOM-CLAIMS

Comma-delimited mapping of custom claims to scopes having the form <claim1>=<scope1><scope2>...,<claim2>=<scope>... (e.g., appid=myapp,avatar=myapp,pet=myapp).

Corresponding system property: inrupt.openid.custom-claims

INRUPT_OPENID_JWT_ALTERNATIVE-PUBLIC-KEY-LOCATIONS

A comma-delimited list of paths to alternative keys for signing. The property can

Corresponding system property: inrupt.openid.jwt.alternative-public-key-locations

INRUPT_OPENID_LOGOUT_URL

The logout URL for the OIDC backend.

Corresponding system property: inrupt.openid.logout.url

INRUPT_OPENID_POD_REGISTRATION-URL

Specifies the Pod registration URL (e.g., https://pod.server.example/register) if provisioning a Pod during the post_consent stage of authentication. The setting is required to integrate with ESS for the Pod provision.

Corresponding system property: inrupt.openid.pod.registration-url

INRUPT_OPENID_POD_REGISTRATION-AGENT

The WebID of the agent if provisioning a Pod during the post_consent stage of authentication. The setting is required to integrate with ESS for the Pod provision.

Corresponding system property: inrupt.openid.pod.registration-agent

INRUPT_OPENID_SCHEDULED-TASKS

Default: 300s (every 300 seconds)

The interval at which to run scheduled jobs in the background. The value is a string that specifies the number of seconds followed by the letter s.

Corresponding system property: inrupt.openid.scheduled-tasks

INRUPT_OPENID_SCOPES

A comma-delimited list of scopes (e.g., openid,offline_access) available for the applications.

Corresponding system property: inrupt.openid.scopes

INRUPT_OPENID_USER-CLAIM-NAME

A custom claim for a user’s WebID.

Corresponding system property: inrupt.openid.user-claim-name=my-claim

INRUPT_OPENID_WEBHOOK_POST-CONSENT_URL

The URL to which the post_consent Webhook sends data. The data sent includes:

  • OIDC issuer claim

  • OIDC subject claim

  • Solid WebID claim

  • Authentication stage (e.g., post_consent)

Corresponding system property: inrupt.openid.webhook.post-consent.url

QUARKUS_OIDC_AUTHENTICATION_SCOPES

A comma-delimited list of scopes (e.g., openid,offline_access) available from the the backend.

Corresponding system property: quarkus.oidc.authentication.scopes

QUARKUS_DATASOURCE_JDBC_URL

The URL of the datasource.

For more information, see https://quarkus.io/guides/datasource#quarkus-agroal_quarkus.datasource.jdbc.url

QUARKUS_OIDC_LOGOUT_PATH

The relative path of the logout endpoint. For more information, see https://quarkus.io/guides/security-openid-connect#quarkus-oidc_quarkus.oidc.logout.path.

Corresponding system property: quarkus.oidc.logout.path

QUARKUS_OIDC_LOGOUT_POST-LOGOUT-PATH

The relative path of the endpoint to which the user should be redirected after logging out. For more information, see https://quarkus.io/guides/security-openid-connect#quarkus-oidc_quarkus.oidc.logout.post-logout-path

Corresponding system property: quarkus.oidc.logout.post-logout-path

SMALLRYE_JWT_NEW-TOKEN_LIFESPAN

Default: 300

The number of seconds before access tokens and ID tokens expire.

Corresponding system property: smallrye.jwt.new-token.lifespan

Configure Solid OpenID Connect Service

To update the configuration, you can use Kustomize overlays. For examples, see

For additional information and examples on customizing ESS, see Customize ESS.

Identity Broker/WebID

Generally, the first time a user logs into Inrupt’s Enterprise Solid Server, a new Pod is provisioned for this user. This process includes creating a WebID for the user and assigning access permissions for this WebID.

WebID Construction (Inrupt’s Identity Broker)

Defining the WebID of a user or agent is the responsibility of the identity provider. On ESS, the user’s Pod URL and WebID have the following pattern:

  • For the Pod URL, append the username to the domain; i.e., https://<domain>/<username>.

  • For the WebID, append /profile/card#me to the Pod URL; i.e., https://<domain>/<username>/profile/card#me.

For example, if a user has the username alice with an existing identity provider, then ESS creates the following Pod and WebID for this user (assuming the pods.example.com as the ESS domain):

Pod URL

https://pods.example.com/alice/

WebID

https://pods.example.com/alice/profile/card#me.