# Authentication

## OpenID Sessions for Multi-User Web Application

Inrupt’s Java Client Libraries can work with 3rd party libraries/frameworks that support [OpenID Connect](https://openid.net/connect/) and [OAuth2](https://datatracker.ietf.org/doc/html/rfc6749) (for example, [Spring Security](https://docs.spring.io/spring-security/reference/servlet/oauth2/login/index.html), [Quarkus](https://quarkus.io/guides/security-openid-connect-client-reference)). To support the [OIDC login flow](https://openid.net/developers/how-connect-works/), these frameworks typically require you to configure:

* a **`client_id`** and
* an OpenID provider (e.g., **`https://login.inrupt.com`** for PodSpaces).

To login/logout your users, refer to your framework’s documentation on OpenID Connect support.

If your OpenID Provider supports the [Solid-OIDC specification](https://solid.github.io/solid-oidc/), the `client_id` can be a URI that [dereferences to a Client Identifier document](/sdk/java-sdk/authentication/solid-oidc-client-identifiers.md).

#### Authenticated Session

Once a user has successfully logged in, you can access the ID Token from your framework, and create an authenticated [Session](https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/auth/Session.html) using the [OpenIdSession](https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/openid/OpenIdSession.html) class. For example:

```java
import com.inrupt.client.auth.Session;
import com.inrupt.client.openid.OpenIdSession;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
//...


public Expense fetchAsUser(OidcUser authedUser, URL expenseURL) {
    Session session = OpenIdSession.ofIdToken(authedUser.getIdToken().getTokenValue());
    //...
}
```

{% hint style="info" %}
In multi-user contexts, multiple sessions in a single application must be managed to ensure that one user’s session is not used by another user. See [Session Management](/sdk/java-sdk/authentication/session-management.md) for more information.
{% endhint %}

To clear cached credential data from the session, use [Session.reset()](https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/auth/Session.html#reset\(\)).

## OpenID Sessions for Statically Registered Single-User App

For applications that run <mark style="color:red;">**on behalf of a single-user only**</mark> (such as a single-user command-line app), you can statically register application if static registration is supported by your Solid Identity Provider. For example, if using the Solid Identity Provider for Inrupt’s [PodSpaces](/podspaces/podspaces.md), you can statically register your application via its [Application Registration](https://login.inrupt.com/registration.html) page.

Static registration results in a Client ID and Client Secret pair, which can be used for [Client Credentials](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) flow.

{% hint style="danger" %}
Safeguard your **`Client ID`** and **`Client Secret`** values. Do not share these with any third parties as anyone with your **`Client ID`** and **`Client Secret`** values can impersonate you and act fully on your behalf.
{% endhint %}

```java
import com.inrupt.client.auth.Session;
import com.inrupt.client.openid.OpenIdSession;
import java.net.URI;

public class MyPersonalApplication {

    // For PodSpaces, the IdentityProvider is https://login.inrupt.com

    public void run(String myIdentityProvider, String myClientID, String myClientSecret) {
       try{

          URI issuer = URI.create(myIdentityProvider);
          Session session = OpenIdSession.ofClientCredentials(
             issuer,
             myClientID,
             myClientSecret,
             "client_secret_basic");

          // ... Perform operations as the user who registered the app

       } catch (Exception e) {
          //...
       }
   }
}
```

To clear cached credential data from the session, use [Session.reset()](https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/auth/Session.html#reset\(\)).

## Sessions for Access Grants

To use Access Requests and Grants, applications uses both Access Grants and an OpenID-based session to build an [AccessGrantSession](https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/accessgrant/AccessGrantSession.html). For example:

```java
AccessGrant grant = // ....;
Session myOpenIDSession = OpenIdSession.ofIdToken(idToken);

Session myAccessGrantSession = AccessGrantSession.ofAccessGrant(myOpenIDSession, grant);
```

To clear cached credential data from the session, use [Session.reset()](https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/auth/Session.html#reset\(\)).

For information on access grants, see [Access Requests and Grants](/sdk/java-sdk/access-requests-and-grants.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.inrupt.com/sdk/java-sdk/authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.