Skip to content

CommunitySolidServer/access-token-verifier

Repository files navigation

Solid OIDC Access Token Verifier

Project Solid Test workflow npm package

This library verifies Solid OIDC access tokens via their webid claim, and thus asserts ownership of a WebID.

It conforms to the Solid OIDC specification.

See also: Solid OIDC Primer Request Flow

Supports

  • DPoP Bound Access Tokens
  • Bearer Access Tokens
  • Caching of:
    • WebID Identity Providers
    • Identity Providers JSON Web Key Sets
    • A minimalistic version of DPoP tokens identifiers to mitigate replays otherwise mostly mitigated by the 60 seconds maximum DPoP Token age, should be improved to take a configurable max requests per seconds to avoid overflow of cache before replay. But de facto, if someone really wanted to mitigate this attack, they should plug a cache that can support high numbers of requests. Someone could easily overflow a lru cache by logging lots of requests as themselves before replaying the token. That is if the server can answer fast enough...
  • Custom Identity Verification Classes to extend to specific caching strategies if needed

How to?

Verify Solid Access Tokens with a simple function:

import type { RequestMethod, SolidTokenVerifierFunction } from '@solid/access-token-verifier';
import { createSolidTokenVerifier } from '@solid/access-token-verifier';

const solidOidcAccessTokenVerifier: SolidTokenVerifierFunction = createSolidTokenVerifier();

try {
  const { client_id: clientId, webid: webId } = await solidOidcAccessTokenVerifier(
    authorizationHeader as string,
    {
      header: dpopHeader as string,
      method: requestMethod as RequestMethod,
      url: requestURL as string
    }
  );

  console.log(`Verified Access Token via WebID: ${webId} and for client: ${clientId}`);

  return { webId, clientId };
} catch (error: unknown) {
  const message = `Error verifying Access Token via WebID: ${(error as Error).message}`;

  console.log(message);

  throw new Error(message);
}

The solidOidcAccessTokenVerifier function takes an authorization header which can be an encoded Bearer or DPoP bound access token and optional DPoP parameters.

TODO