# Authentication Single-User Application Inrupt provides the `@inrupt/solid-client-authn-node` library to authenticate in Node.js. ``` npm install @inrupt/solid-client-authn-node ``` ## Node.js: Single-User Application Your application can use the `@inrupt/solid-client-authn-node` library to handle the user authentication flow. Although your application can start the authentication flow that involves browser-based user interactions with a Solid Identity Provider, as an alternative, you can separately obtain refresh tokens and client credentials for use in your application. That is, if your Solid Identity Provider supports refresh tokens and/or client credentials as grant types, then: 1. As a prerequisite, you can first obtain: * refresh token and client credentials (from dynamic or static registration of the application), or * client credentials from static registration of the application. This is done separately from the application. 2. Then, in your application, you can use either: * refresh tokens and client credentials, or * client credentials only if the application is statically registered. {% hint style="info" %} **Refresh Tokens/Client Credentials Support** Solid Identity Providers are not required to support either refresh tokens or client credentials. Inrupt’s ESS and PodSpaces support refresh tokens and client credentials. {% endhint %} ### Authenticate with Statically Registered Client Credentials **Prerequisite** If supported by your Solid Identity Provider, statically register your application. The registration results in a Client ID and Client Secret pair. For example, if using the Solid Identity Provider for Inrupt’s Pod Spaces, you can statically register your application via its Inrupt Application Registration page. **Update Application Code** For a statically registered application, you can use the `@inrupt/solid-client-authn-node` library with the client credentials for the the user authentication flow: 1. Create a new [Session](https://inrupt.github.io/solid-client-authn-js/node/classes/Session.html#constructor) for the user. By default, the Session is *periodically* refreshed in the background using the refresh token; you can override this periodic behavior by specifying `keepAlive: false` as a Session option to the Session constructor. 2. Call the [Session.login()](https://inrupt.github.io/solid-client-authn-js/node/classes/Session.html#login) function, passing in the [ILoginInputOptions](https://inrupt.github.io/solid-client-authn-js/node/interfaces/ILoginInputOptions.html). Although you can pass in the options (`oidcIssuer`, `redirectUrl`, `handleRedirect`) to start the authentication flow, you can instead pass in the following options with the values obtained from the prerequisite section to login without the manual, browser-based user interactions: * [clientId](https://inrupt.github.io/solid-client-authn-js/node/interfaces/ILoginInputOptions.html#clientid) * [clientSecret](https://inrupt.github.io/solid-client-authn-js/node/interfaces/ILoginInputOptions.html#clientsecret) * [oidcIssuer](https://inrupt.github.io/solid-client-authn-js/node/interfaces/ILoginInputOptions.html#oidcissuer), the Solid Identity Provider where your `Client ID` and `Client Secret` have been registered. * `customScopes`, an optional set of custom scopes requested by the client in addition to the default ones. This allows for application-specific claims to be added to the ID Token by the OpenID Provider. When `login()` returns, your session should be logged in and able to make authenticated requests. {% hint style="danger" %} Safeguard your `clientId` and `clientSecret` values. Do not share these with any third parties as anyone with your `clientId` and `clientSecret` values can impersonate you and act fully on your behalf. {% endhint %} **Example** The following single-user application calls [Session.login()](https://inrupt.github.io/solid-client-authn-js/node/classes/Session.html#login) with: * `clientId`, `clientSecret`, and * `oidcIssuer`. ```javascript const { Session } = require("@inrupt/solid-client-authn-node"); // 1. Get the authenticated credentials: myClientId, myClientSecret // and myIdentityProvider, the Solid Identity Provider associated with the credentials. // ... // ... // Important: Safeguard these credentials. const session = new Session(); session.login({ // 2. Use the authenticated credentials to log in the session. clientId: myClientId, clientSecret: myClientSecret, oidcIssuer: myIdentityProvider }).then(() => { if (session.info.isLoggedIn) { // 3. Your session should now be logged in, and able to make authenticated requests. session // You can change the fetched URL to a private resource, such as your Pod root. .fetch(session.info.webId) .then((response) => { return response.text(); }) .then(console.log); } }); ``` **Static Registration of a Client Application** If your Solid Identity Provider provides a mechanism to statically register applications, your applications can use the associated client credentials to login. **Availability** Inrupt’s PodSpaces provides an [Application Registration page](https://login.inrupt.com/registration.html) where you can statically register your applications to generate credentials for them. It is available for users with accounts on `https://login.inrupt.com`; i.e., users who have registered a Pod with PodSpaces. To use, visit the [Application Registration](https://login.inrupt.com/registration.html) to register your client. More information about this service can be found in the [Application Registration documentation](https://github.com/inrupt/docs-gitbook/blob/main/guides/authentication-in-solid/broken-reference/README.md) for the ESS Solid OIDC Broker Service. For availability of static client registration for your Solid Identity Provider, see your Solid Identity Provider’s documentation.