webid claim support

[bourgeoa]

🔍 Code Review: OIDC-RP WebID Support Implementation

🎯 Summary

Excellent implementation of WebID support in the OIDC Relying Party! This PR adds critical client-side support for Solid OIDC by extending the ID token handling and session management to include WebID claims.

✅ What's Working Well

ID Token Claims Enhancement (src/IDToken.js):

// ✅ Clean WebID claim support added
constructor ({ iss, sub, aud, exp, iat, nbf, jti, auth_time, nonce, acr, amr, webid } = {}) {
  // ... existing claims ...
  this.webid = webid  // 👈 New WebID claim support
}

• Properly extends TokenClaimsSet constructor
• Maintains backward compatibility with existing claims
• Clear JSDoc documentation for the new parameter

Session WebID Access (src/Session.js):

// ✅ Convenient WebID getter method
get webid () {
  return this.idClaims && this.idClaims.webid
}

• Clean getter implementation for accessing WebID from session
• Safe navigation with proper null checking
• Follows existing session property patterns

Relying Party Integration (src/RelyingParty.js):

• Seamless integration with existing OIDC flows
• Maintains compatibility with non-Solid OIDC providers
• Proper handling of WebID claims during token validation

🧪 Testing Coverage

Updated test specifications demonstrate:

• ✅ WebID claim handling in IDTokenSpec.js
• ✅ Session WebID access in SessionSpec.js
• ✅ Relying Party integration in RelyingPartySpec.js

📋 Solid OIDC Compliance

This implementation supports the client-side requirements for Solid OIDC:

Client Requirement	✅ Status	Implementation
WebID claim parsing	✅	Added to TokenClaimsSet
Session WebID access	✅	session.webid getter
Token validation	✅	Integrated in RelyingParty
Backward compatibility	✅	Optional WebID parameter

🔄 Integration Benefits

Perfect complement to the provider-side changes:

• oidc-op: Issues WebID claims when webid scope requested
• oidc-rp: Parses and provides access to WebID claims ← This PR
• Applications: Can now access session.webid for identity verification

💡 Usage Example

// After successful authentication with webid scope
const session = await rp.createSession(response)
console.log('User WebID:', session.webid)
// Output: https://alice.example.com/profile#me

// Access traditional subject too
console.log('Subject ID:', session.sub)

🚀 Impact

This enhancement enables:

• Solid Pod integration for client applications
• WebID-based authentication workflows
• Decentralized identity verification
• Backward compatibility with existing OIDC implementations

💡 Recommendations

1. Ready to merge - Clean implementation following OIDC patterns
2. Documentation: Update README with Solid OIDC usage examples
3. Integration: Works seamlessly with updated oidc-op provider

LGTM 🎉 - This completes the client-side support needed for Solid OIDC authentication!

---

Reviewed the add-webid branch changes including IDToken.js, Session.js, RelyingParty.js, and test specifications.

---

Files analyzed:

• src/IDToken.js - WebID claim support in TokenClaimsSet
• src/Session.js - WebID getter for easy access
• src/RelyingParty.js - Integration with OIDC flows
• Test files - Comprehensive coverage of new functionality

Branch: add-webid
Integration: Complements oidc-op WebID implementation

[bourgeoa]

@dmitrizagidulin can you review