NASA Planetary Mission

    @solid/access-token-verifier
    TypeScript icon, indicating that this package has built-in type declarations

    2.0.3 • Public • Published

    Solid OIDC Access Token Verifier

    Project Solid Test workflow npm package

    This library verifies Solid OIDC access tokens via their webid claim, and thus asserts ownership of a WebID.

    It conforms to the Solid OIDC specification.

    See also: Solid OIDC Primer Request Flow

    Supports

    • DPoP Bound Access Tokens
    • Bearer Access Tokens
    • Caching of:
      • WebID Identity Providers
      • Identity Providers JSON Web Key Sets
      • A minimalistic version of DPoP tokens identifiers to mitigate replays otherwise mostly mitigated by the 60 seconds maximum DPoP Token age, should be improved to take a configurable max requests per seconds to avoid overflow of cache before replay. But de facto, if someone really wanted to mitigate this attack, they should plug a cache that can support high numbers of requests. Someone could easily overflow a lru cache by logging lots of requests as themselves before replaying the token. That is if the server can answer fast enough...
    • Custom Identity Verification Classes to extend to specific caching strategies if needed

    How to?

    Verify Solid Access Tokens with a simple function:

    import type { RequestMethod, SolidTokenVerifierFunction } from '@solid/access-token-verifier';
    import { createSolidTokenVerifier } from '@solid/access-token-verifier';
    
    const solidOidcAccessTokenVerifier: SolidTokenVerifierFunction = createSolidTokenVerifier();
    
    try {
      const { client_id: clientId, webid: webId } = await solidOidcAccessTokenVerifier(
        authorizationHeader as string,
        {
          header: dpopHeader as string,
          method: requestMethod as RequestMethod,
          url: requestURL as string
        }
      );
    
      console.log(`Verified Access Token via WebID: ${webId} and for client: ${clientId}`);
    
      return { webId, clientId };
    } catch (error: unknown) {
      const message = `Error verifying Access Token via WebID: ${(error as Error).message}`;
    
      console.log(message);
    
      throw new Error(message);
    }

    The solidOidcAccessTokenVerifier function takes an authorization header which can be an encoded Bearer or DPoP bound access token and optional DPoP parameters.

    TODO

    Install

    npm i @solid/access-token-verifier

    DownloadsWeekly Downloads

    1,216

    Version

    2.0.3

    License

    MIT

    Unpacked Size

    208 kB

    Total Files

    226

    Last publish

    Collaborators

    • matthieubosquet
    • joachimvh
    • justinwb
    • rubenverborgh
    • kjetilk
    • codenamedmitri
    • jaxoncreed
    • ajacksified
    • inrupt_ci
    • nseydoux
    • pmcb55
    • megoth
    • vincenttunru
    • michielbdejong
    • virginiabalseiro
    • timbl
    • bourgeoa