Authentication

Authentication directly from Browser

To initiate a login process from a browser, the startLogin function checks whether the user is already logged in by examining the session's login status. If not logged in, it uses the login function from @inrupt/solid-client-authn-browser to start the login process, specifying the OpenID Connect issuer, redirect URL, and client name. After the login process, completeLogin is used to handle the incoming redirect and complete the authentication by processing the server's response.

You can use https://login.inrupt.com OIDC provider for this if you do not have your own set up.

import {  login, getDefaultSession } from '@inrupt/solid-client-authn-browser'

// ...

async function startLogin() {
  // Start the Login Process if not already logged in.
  if (!getDefaultSession().info.isLoggedIn) {
    await login({
      oidcIssuer: "https://login.inrupt.com",
      redirectUrl: new URL("/callback", window.location.href).toString(),
      clientName: "My application"
    });
  }
}

Callback Function

After the login process, completeLogin is used in the application code to handle the incoming redirect and complete the authentication by processing the server's response.

import { handleIncomingRedirect } from '@inrupt/solid-client-authn-browser'

// ...

async function completeLogin() {
   await handleIncomingRedirect();
}

Authentication Server Side via OIDC auth-code grant

The server-side code utilizes Express.js to create a new session for each user and manage it using cookies. When a user accesses the /login endpoint, a new session is created, and the user is redirected to the Solid Identity Provider's login page to authenticate. The session data is stored, and after the authentication process is completed, the user is redirected back to /login/callback, where the authentication response is handled to finalize the login process.

const express = require("express");
const cookieSession = require("cookie-session");

const { 
  getSessionFromStorage,
  getSessionIdFromStorageAll,
  Session
} = require("@inrupt/solid-client-authn-node");

const app = express();
const port = 3000;

// The following snippet ensures that the server identifies each user's session
// with a cookie using an express-specific mechanism
app.use(
  cookieSession({
    name: "session",
    // These keys are required by cookie-session to sign the cookies.
    keys: [
      "Required, but value not relevant for this demo - key1",
      "Required, but value not relevant for this demo - key2",
    ],
    maxAge: 24 * 60 * 60 * 1000, // 24 hours
  })
);


app.get("/login", async (req, res, next) => {
  // 1. Create a new Session
  const session = new Session({ keepAlive: false }); // Turn off periodic refresh of the Session in background
  req.session.sessionId = session.info.sessionId;
  const redirectToSolidIdentityProvider = (url) => {
    // Since we use Express in this example, we can call `res.redirect` to send the user to the
    // given URL, but the specific method of redirection depend on your app's particular setup.
    res.redirect(url);
  };
  // 2. Start the login process;
  await session.login({
    // After login, the Solid Identity Provider will send the user back to the following
    redirectUrl: `http://localhost:${port}/login/callback`,
    // Set to the user's Solid Identity Provider;
    oidcIssuer: "https://login.inrupt.com",
    clientName: "Demo app",
    handleRedirect: redirectToSolidIdentityProvider,
  });
});

Callback Function

The provided code snippet demonstrates how to handle the login callback process after a user logs in via a Solid Identity Provider. It retrieves the session from storage, finalizes the login using session data from the callback URL, and confirms successful authentication by checking the isLoggedIn status. Additionally, it includes routes to perform authenticated fetch operations and handle user logout.

app.get("/login/callback", async (req, res) => {
  //.  If the user is sent back to the `redirectUrl` provided in step 2,
  //    it means that the login has been initiated and can be completed.
  const session = await getSessionFromStorage(req.session.sessionId);
  //    Complete the login process using the data appended to it as query
  //    parameters in req.url by the Solid Identity Provider:
  await session.handleIncomingRedirect(`http://localhost:${port}${req.url}`);
  if (session.info.isLoggedIn) {
    return res.send(`<p>Logged in with the WebID ${session.info.webId}.</p>`)
  }
});

Logout

The code snippet implements a logout route for the application, which retrieves the user's session from storage using the session ID stored in cookies and then logs the user out, sending a simple confirmation message that the user has been logged out.

app.get("/logout", async (req, res, next) => {
  const session = await getSessionFromStorage(req.session.sessionId);
  session.logout();
  res.send(`<p>Logged out.</p>`);
});

Authentication for Server Side Single-User Applications

To authenticate a server side single-user application, this code utilizes Inrupt's solid-client-authn-node library. It first requires the developer to register their app with a Solid OIDC identity provider (such as login.inrupt.com) to obtain a clientId and clientSecret. These credentials are then used to initiate a session, allowing the application to make secure, authenticated requests to the user's resources.

const { Session } = require("@inrupt/solid-client-authn-node");

// 1. Get the authenticated credentials: myClientId, myClientSecret

const session = new Session();
session.login({
  // 2. Use the authenticated credentials to log in the session.
  clientId: myClientId,
  clientSecret: myClientSecret,
  oidcIssuer: myIdentityProvider
}).then(() => {
  if (session.info.isLoggedIn) {
    // 3. Your session should now be logged in, and able to make authenticated requests.
    session
      // You can change the fetched URL to a private resource, such as your Pod root.
      .fetch(session.info.webId)
      .then((response) => {
        return response.text();
      })
      .then(console.log);
  }
});

PreviousAccess Prompt and Use of Access Grant NextIntroduction

Last updated 3 months ago