NASA Planetary Mission

    TypeScript icon, indicating that this package has built-in type declarations

    2.0.3 • Public • Published

    Solid OIDC Access Token Verifier

    Project Solid Test workflow npm package

    This library verifies Solid OIDC access tokens via their webid claim, and thus asserts ownership of a WebID.

    It conforms to the Solid OIDC specification.

    See also: Solid OIDC Primer Request Flow


    • DPoP Bound Access Tokens
    • Bearer Access Tokens
    • Caching of:
      • WebID Identity Providers
      • Identity Providers JSON Web Key Sets
      • A minimalistic version of DPoP tokens identifiers to mitigate replays otherwise mostly mitigated by the 60 seconds maximum DPoP Token age, should be improved to take a configurable max requests per seconds to avoid overflow of cache before replay. But de facto, if someone really wanted to mitigate this attack, they should plug a cache that can support high numbers of requests. Someone could easily overflow a lru cache by logging lots of requests as themselves before replaying the token. That is if the server can answer fast enough...
    • Custom Identity Verification Classes to extend to specific caching strategies if needed

    How to?

    Verify Solid Access Tokens with a simple function:

    import type { RequestMethod, SolidTokenVerifierFunction } from '@solid/access-token-verifier';
    import { createSolidTokenVerifier } from '@solid/access-token-verifier';
    const solidOidcAccessTokenVerifier: SolidTokenVerifierFunction = createSolidTokenVerifier();
    try {
      const { client_id: clientId, webid: webId } = await solidOidcAccessTokenVerifier(
        authorizationHeader as string,
          header: dpopHeader as string,
          method: requestMethod as RequestMethod,
          url: requestURL as string
      console.log(`Verified Access Token via WebID: ${webId} and for client: ${clientId}`);
      return { webId, clientId };
    } catch (error: unknown) {
      const message = `Error verifying Access Token via WebID: ${(error as Error).message}`;
      throw new Error(message);

    The solidOidcAccessTokenVerifier function takes an authorization header which can be an encoded Bearer or DPoP bound access token and optional DPoP parameters.



    npm i @solid/access-token-verifier

    DownloadsWeekly Downloads






    Unpacked Size

    208 kB

    Total Files


    Last publish


    • matthieubosquet
    • joachimvh
    • justinwb
    • rubenverborgh
    • kjetilk
    • codenamedmitri
    • jaxoncreed
    • ajacksified
    • inrupt_ci
    • nseydoux
    • pmcb55
    • megoth
    • vincenttunru
    • michielbdejong
    • virginiabalseiro
    • timbl
    • bourgeoa