{"id":22281979,"url":"https://github.com/communitysolidserver/access-token-verifier","last_synced_at":"2026-01-15T22:20:34.025Z","repository":{"id":36970786,"uuid":"327664818","full_name":"CommunitySolidServer/access-token-verifier","owner":"CommunitySolidServer","description":"Solid access token verification","archived":false,"fork":false,"pushed_at":"2024-03-12T05:07:54.000Z","size":1351,"stargazers_count":4,"open_issues_count":8,"forks_count":5,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-12-02T05:36:25.376Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CommunitySolidServer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-07T16:21:01.000Z","updated_at":"2024-04-09T16:45:06.000Z","dependencies_parsed_at":"2024-06-19T05:15:16.890Z","dependency_job_id":"cdf5f03c-ed11-4abf-9d11-4553939f7f8d","html_url":"https://github.com/CommunitySolidServer/access-token-verifier","commit_stats":null,"previous_names":["solid/access-token-verifier","solid/identity-token-verifier"],"tags_count":46,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CommunitySolidServer%2Faccess-token-verifier","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CommunitySolidServer%2Faccess-token-verifier/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CommunitySolidServer%2Faccess-token-verifier/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CommunitySolidServer%2Faccess-token-verifier/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CommunitySolidServer","download_url":"https://codeload.github.com/CommunitySolidServer/access-token-verifier/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227954390,"owners_count":17846685,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-03T16:24:11.097Z","updated_at":"2026-01-05T09:15:26.350Z","avatar_url":"https://github.com/CommunitySolidServer.png","language":"TypeScript","readme":"# Solid OIDC Access Token Verifier\n\n[![Project Solid](https://img.shields.io/badge/Project-Solid-7C4DFF.svg)](https://solidproject.org/)\n[![Test workflow](https://github.com/solid/access-token-verifier/workflows/Unit%20Tests/badge.svg?branch=main)](https://github.com/solid/access-token-verifier/actions/workflows/test-unit.yml?query=workflow%3Atest+branch%3Amain)\n[![npm package](https://img.shields.io/npm/v/@solid/access-token-verifier)](https://www.npmjs.com/package/@solid/access-token-verifier)\n\nThis library verifies Solid OIDC access tokens via their `webid` claim, and thus asserts ownership of a [WebID](https://www.w3.org/2005/Incubator/webid/spec/).\n\nIt conforms to the [Solid OIDC specification](https://solid.github.io/solid-oidc/).\n\nSee also: [Solid OIDC Primer Request Flow](https://solid.github.io/solid-oidc/primer/#request-flow)\n\n## Supports\n\n- DPoP Bound Access Tokens\n- Bearer Access Tokens\n- Caching of:\n  - WebID Identity Providers\n  - Identity Providers JSON Web Key Sets\n  - A minimalistic version of DPoP tokens identifiers to mitigate replays otherwise mostly\n    mitigated by the 60 seconds maximum DPoP Token age, should be improved to take a configurable\n    max requests per seconds to avoid overflow of cache before replay. But de facto, if someone really\n    wanted to mitigate this attack, they should plug a cache that can support high numbers of requests.\n    Someone could easily overflow a lru cache by logging lots of requests as themselves before replaying\n    the token. That is if the server can answer fast enough...\n- Custom Identity Verification Classes to extend to specific caching strategies if needed\n\n## How to?\n\nVerify Solid Access Tokens with a simple function:\n\n```javascript\nimport type { RequestMethod, SolidTokenVerifierFunction } from '@solid/access-token-verifier';\nimport { createSolidTokenVerifier } from '@solid/access-token-verifier';\n\nconst solidOidcAccessTokenVerifier: SolidTokenVerifierFunction = createSolidTokenVerifier();\n\ntry {\n  const { client_id: clientId, webid: webId } = await solidOidcAccessTokenVerifier(\n    authorizationHeader as string,\n    {\n      header: dpopHeader as string,\n      method: requestMethod as RequestMethod,\n      url: requestURL as string\n    }\n  );\n\n  console.log(`Verified Access Token via WebID: ${webId} and for client: ${clientId}`);\n\n  return { webId, clientId };\n} catch (error: unknown) {\n  const message = `Error verifying Access Token via WebID: ${(error as Error).message}`;\n\n  console.log(message);\n\n  throw new Error(message);\n}\n```\n\nThe `solidOidcAccessTokenVerifier` function takes an authorization header which can be an encoded Bearer or DPoP bound access token and optional DPoP parameters.\n\n## TODO\n\n- Further sanitation of inputs? For example a maximum authorization header size. Needs further discussions before resolution.\n- Improve default caching? Assess other libraries that might be used.\n- Evolve the type guards and the type guard library.\n- Allow http over tls on all WebIDs instead of enforcing https as per: https://github.com/solid/authentication-panel/issues/114.\n- ~~Enforce client ID when support is wide enough as per: https://solid.github.io/solid-oidc/#tokens-access~~\n- Enforce `azp` claim in the next library which should target ID tokens as opposed to Access tokens as per the [updated Solid-OIDC spec](https://solid.github.io/solid-oidc/#tokens-id)\n- Enforce DPoP ath claim when support is wide enough as per: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-04#section-4.2\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcommunitysolidserver%2Faccess-token-verifier","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcommunitysolidserver%2Faccess-token-verifier","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcommunitysolidserver%2Faccess-token-verifier/lists"}