# Authentication

Authentication is the process of verifying the identity of an [agent](https://docs.inrupt.com/reference/glossary#agent). To access private data, you must authenticate as an agent who has been granted appropriate access to that data.

### Authentication Flows

Solid authentication is based on the [Solid-OIDC](https://solid.github.io/solid-oidc/) specification. [Solid-OIDC](https://solid.github.io/solid-oidc/) builds upon the [OpenID Connect](https://openid.net/connect/) standards, which itself builds on the [OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749) authorization framework.

For applications implementing [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps):

1. The application starts the login process by sending the user to the user’s Solid Identity Provider.
2. The user logs in to the Solid Identity Provider.
3. The Solid Identity Provider sends the user back to your application, where the application handles the returned authentication information to complete the login process.

<figure><img src="https://2584838151-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLMLxFYifBOpjrf8rQMX1%2Fuploads%2Fgit-blob-207f8c5cf3aef0f5dea5f8a1e9e63cc211e63e67%2Flogin-flow.png?alt=media" alt=""><figcaption></figcaption></figure>

For applications implementing [Client Credentials](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) flow:

1. The application (such as a single-user script) logs in, on behalf of the user who registered the client, by sending its client credentials to its Solid Identity Provider (i.e., where the user registered the client).
2. The Solid Identity Provider returns the tokens to the app.

### Inrupt Client Libraries

Inrupt provides the following libraries for authentication:

* **`solid-client-authn-browser`** to authenticate in a browser.
* **`solid-client-authn-node`** to authenticate in Node.js.

<details>

<summary>Note about Client IDs</summary>

In [Solid-OIDC](https://solid.github.io/solid-oidc/) (i.e., in [OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749) and [OpenID Connect](https://openid.net/connect/)), an application identifies itself using a [client identifier (Client ID)](https://solid.github.io/solid-oidc/#clientids).

A Client ID can be:

* a URL that dereferences to a [Client ID Document](https://solid.github.io/solid-oidc/#clientids-document).
* a value that has been registered using either [OIDC dynamic or static registration](https://solid.github.io/solid-oidc/#clientids-oidc).

Inrupt’s client libraries provide `login` APIs that supports:

* Specifying a Client ID (of type URL) that dereferences to a [Client ID Document](https://solid.github.io/solid-oidc/#clientids-document).
* [Dynamic registration of the client](https://www.rfc-editor.org/rfc/rfc7591#section-3.1)
* Logging in with client credentials (Client ID and Secret) from static registration.

</details>

[Authentication](https://docs.inrupt.com/guides/authentication-in-solid) in Solid can be performed:

* ​[via OIDC directly in the browser](https://docs.inrupt.com/guides/authentication-in-solid/authentication-from-browser)​
* ​[via OIDC via a backend](https://docs.inrupt.com/guides/authentication-in-solid/authentication-server-side)
* ​[Via OAuth Client Credentials ](https://docs.inrupt.com/guides/authentication-in-solid/authentication-single-user-application)​

See these direct guides for more information.