# Authentication

## OpenID Sessions for Multi-User Web Application

Inrupt’s Java Client Libraries can work with 3rd party libraries/frameworks that support [OpenID Connect](https://openid.net/connect/) and [OAuth2](https://datatracker.ietf.org/doc/html/rfc6749) (for example, [Spring Security](https://docs.spring.io/spring-security/reference/servlet/oauth2/login/index.html), [Quarkus](https://quarkus.io/guides/security-openid-connect-client-reference)). To support the [OIDC login flow](https://openid.net/developers/how-connect-works/), these frameworks typically require you to configure:

* a **`client_id`** and
* an OpenID provider (e.g., **`https://login.inrupt.com`** for PodSpaces).

To login/logout your users, refer to your framework’s documentation on OpenID Connect support.

If your OpenID Provider supports the [Solid-OIDC specification](https://solid.github.io/solid-oidc/), the `client_id` can be a URI that [dereferences to a Client Identifier document](https://docs.inrupt.com/sdk/java-sdk/authentication/solid-oidc-client-identifiers).

#### Authenticated Session

Once a user has successfully logged in, you can access the ID Token from your framework, and create an authenticated [Session](https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/auth/Session.html) using the [OpenIdSession](https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/openid/OpenIdSession.html) class. For example:

```java
import com.inrupt.client.auth.Session;
import com.inrupt.client.openid.OpenIdSession;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
//...


public Expense fetchAsUser(OidcUser authedUser, URL expenseURL) {
    Session session = OpenIdSession.ofIdToken(authedUser.getIdToken().getTokenValue());
    //...
}
```

{% hint style="info" %}
In multi-user contexts, multiple sessions in a single application must be managed to ensure that one user’s session is not used by another user. See [Session Management](https://docs.inrupt.com/sdk/java-sdk/authentication/session-management) for more information.
{% endhint %}

To clear cached credential data from the session, use [Session.reset()](https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/auth/Session.html#reset\(\)).

## OpenID Sessions for Statically Registered Single-User App

For applications that run <mark style="color:red;">**on behalf of a single-user only**</mark> (such as a single-user command-line app), you can statically register application if static registration is supported by your Solid Identity Provider. For example, if using the Solid Identity Provider for Inrupt’s [PodSpaces](https://docs.inrupt.com/podspaces/podspaces), you can statically register your application via its [Application Registration](https://login.inrupt.com/registration.html) page.

Static registration results in a Client ID and Client Secret pair, which can be used for [Client Credentials](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) flow.

{% hint style="danger" %}
Safeguard your **`Client ID`** and **`Client Secret`** values. Do not share these with any third parties as anyone with your **`Client ID`** and **`Client Secret`** values can impersonate you and act fully on your behalf.
{% endhint %}

```java
import com.inrupt.client.auth.Session;
import com.inrupt.client.openid.OpenIdSession;
import java.net.URI;

public class MyPersonalApplication {

    // For PodSpaces, the IdentityProvider is https://login.inrupt.com

    public void run(String myIdentityProvider, String myClientID, String myClientSecret) {
       try{

          URI issuer = URI.create(myIdentityProvider);
          Session session = OpenIdSession.ofClientCredentials(
             issuer,
             myClientID,
             myClientSecret,
             "client_secret_basic");

          // ... Perform operations as the user who registered the app

       } catch (Exception e) {
          //...
       }
   }
}
```

To clear cached credential data from the session, use [Session.reset()](https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/auth/Session.html#reset\(\)).

## Sessions for Access Grants

To use Access Requests and Grants, applications uses both Access Grants and an OpenID-based session to build an [AccessGrantSession](https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/accessgrant/AccessGrantSession.html). For example:

```java
AccessGrant grant = // ....;
Session myOpenIDSession = OpenIdSession.ofIdToken(idToken);

Session myAccessGrantSession = AccessGrantSession.ofAccessGrant(myOpenIDSession, grant);
```

To clear cached credential data from the session, use [Session.reset()](https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/auth/Session.html#reset\(\)).

For information on access grants, see [access-requests-and-grants](https://docs.inrupt.com/sdk/java-sdk/access-requests-and-grants "mention").