An authentication system determines the identity of a user or agent and the level of trust associated with this identity.
OpenID Connect (OIDC) defines a standard mechanism by which a web application leads a user through a login flow. The flow results in a signed JSON web token (JWT) that asserts the identity of the user.
Solid builds on the OpenID Connect specificiations. Rather than
representing the identity of a user with any string (e.g.,
user1234), Solid identifies users with a URL that can be
dereferenced as a WebID profile (e.g.,
https://domain.com/user1234). The WebID profile resource makes
claims about trusted identity providers that can legitimately issue
signed JSON web token on behalf of this WebID.
Signed Access Token¶
An important part of this trust model is based on the signed JSON web token. A Pod server can verify that the token signature is legitimate by using a well-defined protocol that is part of the OIDC specification. If the signature is not valid or if the token has expired, a client will be denied access to a Pod.
As an additional layer of protection against token stealing and various replay attacks, Solid clients send an additional token (specifically a DPoP token) that cryptographically proves that the client is in legitimate possession of the access token while also scoping the request to a particular Pod resource. This helps prevent against token exfiltration attacks.
Ultimately, this results in sending a trustworthy access token, along with a DPoP token, to a Pod server that unambiguously identifies a user or agent.
OIDC Broker Identity Service¶
ESS’s OpenID Connect (OIDC) Broker Service provides a compatibility layer between Solid that identifies users with a WebID and traditional OpenID Connect (OIDC) applications that identify users with strings. The OIDC Broker Service allows a Solid user to login with any existing OIDC-compliant identity provider.