Authentication

OpenID Sessions for Multi-User Web Application

Inrupt’s Java Client Libraries can work with 3rd party libraries/frameworks that support OpenID Connect and OAuth2 (for example, Spring Security, Quarkus). To support the OIDC login flow, these frameworks typically require you to configure:

a client_id and
an OpenID provider (e.g., https://login.inrupt.com for PodSpaces).

To login/logout your users, refer to your framework’s documentation on OpenID Connect support.

If your OpenID Provider supports the Solid-OIDC specification, the client_id can be a URI that dereferences to a Client Identifier document.

Authenticated Session

Once a user has successfully logged in, you can access the ID Token from your framework, and create an authenticated Session using the OpenIdSession class. For example:

import com.inrupt.client.auth.Session;
import com.inrupt.client.openid.OpenIdSession;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
//...


public Expense fetchAsUser(OidcUser authedUser, URL expenseURL) {
    Session session = OpenIdSession.ofIdToken(authedUser.getIdToken().getTokenValue());
    //...
}

In multi-user contexts, multiple sessions in a single application must be managed to ensure that one user’s session is not used by another user. See Session Management for more information.

To clear cached credential data from the session, use Session.reset().

OpenID Sessions for Statically Registered Single-User App

For applications that run on behalf of a single-user only (such as a single-user command-line app), you can statically register application if static registration is supported by your Solid Identity Provider. For example, if using the Solid Identity Provider for Inrupt’s PodSpaces, you can statically register your application via its Application Registration page.

Static registration results in a Client ID and Client Secret pair, which can be used for Client Credentials flow.

Safeguard your Client ID and Client Secret values. Do not share these with any third parties as anyone with your Client ID and Client Secret values can impersonate you and act fully on your behalf.

import com.inrupt.client.auth.Session;
import com.inrupt.client.openid.OpenIdSession;
import java.net.URI;

public class MyPersonalApplication {

    // For PodSpaces, the IdentityProvider is https://login.inrupt.com

    public void run(String myIdentityProvider, String myClientID, String myClientSecret) {
       try{

          URI issuer = URI.create(myIdentityProvider);
          Session session = OpenIdSession.ofClientCredentials(
             issuer,
             myClientID,
             myClientSecret,
             "client_secret_basic");

          // ... Perform operations as the user who registered the app

       } catch (Exception e) {
          //...
       }
   }
}

To clear cached credential data from the session, use Session.reset().

Sessions for Access Grants

To use Access Requests and Grants, applications uses both Access Grants and an OpenID-based session to build an AccessGrantSession. For example:

AccessGrant grant = // ....;
Session myOpenIDSession = OpenIdSession.ofIdToken(idToken);

Session myAccessGrantSession = AccessGrantSession.ofAccessGrant(myOpenIDSession, grant);

To clear cached credential data from the session, use Session.reset().

For information on access grants, see Access Requests and Grants.

PreviousStep 6: Run (Part 2)NextSession Management

Last updated 14 days ago