Solid OIDC Access Token Verifier
This library verifies Solid OIDC access tokens via their webid claim, and thus asserts ownership of a WebID.
It conforms to the Solid OIDC specification.
See also: Solid OIDC Primer Request Flow
Supports
- DPoP Bound Access Tokens
- Bearer Access Tokens
- Caching of:
- WebID Identity Providers
- Identity Providers JSON Web Key Sets
- A minimalistic version of DPoP tokens identifiers to mitigate replays otherwise mostly mitigated by the 60 seconds maximum DPoP Token age, should be improved to take a configurable max requests per seconds to avoid overflow of cache before replay. But de facto, if someone really wanted to mitigate this attack, they should plug a cache that can support high numbers of requests. Someone could easily overflow a lru cache by logging lots of requests as themselves before replaying the token. That is if the server can answer fast enough...
- Custom Identity Verification Classes to extend to specific caching strategies if needed
How to?
Verify Solid Access Tokens with a simple function:
import type { RequestMethod, SolidTokenVerifierFunction } from '@solid/access-token-verifier';
import { createSolidTokenVerifier } from '@solid/access-token-verifier';
const solidOidcAccessTokenVerifier: SolidTokenVerifierFunction = createSolidTokenVerifier();
try {
const { client_id: clientId, webid: webId } = await solidOidcAccessTokenVerifier(
authorizationHeader as string,
{
header: dpopHeader as string,
method: requestMethod as RequestMethod,
url: requestURL as string
}
);
console.log(`Verified Access Token via WebID: ${webId} and for client: ${clientId}`);
return { webId, clientId };
} catch (error: unknown) {
const message = `Error verifying Access Token via WebID: ${(error as Error).message}`;
console.log(message);
throw new Error(message);
}The solidOidcAccessTokenVerifier function takes an authorization header which can be an encoded Bearer or DPoP bound access token and optional DPoP parameters.
TODO
- Further sanitation of inputs? For example a maximum authorization header size. Needs further discussions before resolution.
- Improve default caching? Assess other libraries that might be used.
- Evolve the type guards and the type guard library.
- Allow http over tls on all WebIDs instead of enforcing https as per: https://github.com/solid/authentication-panel/issues/114.
Enforce client ID when support is wide enough as per: https://solid.github.io/solid-oidc/#tokens-access- Enforce
azpclaim in the next library which should target ID tokens as opposed to Access tokens as per the updated Solid-OIDC spec - Enforce DPoP ath claim when support is wide enough as per: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-04#section-4.2