Standalone Solid-OIDC Client Authorization

[sportdeath]

Hi :)

I'm interested in developing a server that can authenticate a user's webId, just like a solid pod does when a user requests an access-controlled resource. Obviously, I don't want to roll my own Solid-OIDC request flow and so I was hoping to use this project's implementation, but I'm struggling to get my head wrapped around the architecture of this project enough to pull out the piece I need.

Essentially, I want to add an authorization server component to my application. Clients that have already performed an Oauth2 flow and received a token from some external identity provider should be able to make a request to my authorization server that then validates that the client is indeed logged in with a particular webId. My authorization server gives the client a token that confirms this authorization which they can use to fetch and access-controlled resource from another endpoint on my server.

Can someone give me some pointers, please?

Thank you!
Theia

[elf-pavlik]

Hello,

Currently CSS doesn't provide a UMA authorization server described in the flow you referenced. I know that there is work happening on #1154

[sportdeath]

Oh hm.. then how does CSS authenticate clients requesting access-controlled data? I don't need a separate authorization server per-se, I just need to be able to authenticate clients and know that they are who they say they are... but I only want users to have to go through an Oauth flow once (presumably with a single identity provider) to be able to attest their identity to multiple different servers. I'm sorry if I'm a bit confused on the spec, I'm new to Solid. Thank you for your help :)

[elf-pavlik]

No worries. CSS has a Solid-OIDC Provider but is still from the 0.1 version of Solid-OIDC. This means that the access token, not the ID token, is DPOP bound. It is easy to get confused since the most popular Solid-OIDC client has yet to implement the pre 0.1 version. If you need an ID token with a webid claim, the currently implemented version could still work for you, assuming your application will act as OIDC RP and work within a single security domain. For now, you could also use the global DPOP-bound access tokens. Remember that in Solid-OIDC 0.1, those access tokens were already deprecated in favor of exchanging the id token with RS-associated UMA AS. Could you give me more details about your architecture so I can understand how the different pieces should fit together?

[joachimvh]

Authenticating a WebID using an access token happens in the DPoPWebIdExtractor, which then uses the access-token-verifier library to verify if the token can be used to prove that the client is allowed to identify as a specific WebID.

If I understand correctly, what you want is to authenticate a WebID using a different kind of token. This would then require writing a new kind of Authorizer, one that can correctly interpret your kind of token. You would then also need some way to associate this token with a specific WebID. To then link a WebID to a token, you could add a new triple to the WebID indicating this link somehow, with a unique value that can be identified with the token.