https://github.com/communitysolidserver/access-token-verifier
Solid access token verification
https://github.com/communitysolidserver/access-token-verifier
Last synced: 3 months ago
JSON representation
Solid access token verification
- Host: GitHub
- URL: https://github.com/communitysolidserver/access-token-verifier
- Owner: CommunitySolidServer
- License: mit
- Created: 2021-01-07T16:21:01.000Z (about 5 years ago)
- Default Branch: main
- Last Pushed: 2024-03-12T05:07:54.000Z (about 2 years ago)
- Last Synced: 2024-12-02T05:36:25.376Z (over 1 year ago)
- Language: TypeScript
- Homepage:
- Size: 1.29 MB
- Stars: 4
- Watchers: 6
- Forks: 5
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Solid OIDC Access Token Verifier
[](https://solidproject.org/)
[](https://github.com/solid/access-token-verifier/actions/workflows/test-unit.yml?query=workflow%3Atest+branch%3Amain)
[](https://www.npmjs.com/package/@solid/access-token-verifier)
This library verifies Solid OIDC access tokens via their `webid` claim, and thus asserts ownership of a [WebID](https://www.w3.org/2005/Incubator/webid/spec/).
It conforms to the [Solid OIDC specification](https://solid.github.io/solid-oidc/).
See also: [Solid OIDC Primer Request Flow](https://solid.github.io/solid-oidc/primer/#request-flow)
## Supports
- DPoP Bound Access Tokens
- Bearer Access Tokens
- Caching of:
- WebID Identity Providers
- Identity Providers JSON Web Key Sets
- A minimalistic version of DPoP tokens identifiers to mitigate replays otherwise mostly
mitigated by the 60 seconds maximum DPoP Token age, should be improved to take a configurable
max requests per seconds to avoid overflow of cache before replay. But de facto, if someone really
wanted to mitigate this attack, they should plug a cache that can support high numbers of requests.
Someone could easily overflow a lru cache by logging lots of requests as themselves before replaying
the token. That is if the server can answer fast enough...
- Custom Identity Verification Classes to extend to specific caching strategies if needed
## How to?
Verify Solid Access Tokens with a simple function:
```javascript
import type { RequestMethod, SolidTokenVerifierFunction } from '@solid/access-token-verifier';
import { createSolidTokenVerifier } from '@solid/access-token-verifier';
const solidOidcAccessTokenVerifier: SolidTokenVerifierFunction = createSolidTokenVerifier();
try {
const { client_id: clientId, webid: webId } = await solidOidcAccessTokenVerifier(
authorizationHeader as string,
{
header: dpopHeader as string,
method: requestMethod as RequestMethod,
url: requestURL as string
}
);
console.log(`Verified Access Token via WebID: ${webId} and for client: ${clientId}`);
return { webId, clientId };
} catch (error: unknown) {
const message = `Error verifying Access Token via WebID: ${(error as Error).message}`;
console.log(message);
throw new Error(message);
}
```
The `solidOidcAccessTokenVerifier` function takes an authorization header which can be an encoded Bearer or DPoP bound access token and optional DPoP parameters.
## TODO
- Further sanitation of inputs? For example a maximum authorization header size. Needs further discussions before resolution.
- Improve default caching? Assess other libraries that might be used.
- Evolve the type guards and the type guard library.
- Allow http over tls on all WebIDs instead of enforcing https as per: https://github.com/solid/authentication-panel/issues/114.
- ~~Enforce client ID when support is wide enough as per: https://solid.github.io/solid-oidc/#tokens-access~~
- Enforce `azp` claim in the next library which should target ID tokens as opposed to Access tokens as per the [updated Solid-OIDC spec](https://solid.github.io/solid-oidc/#tokens-id)
- Enforce DPoP ath claim when support is wide enough as per: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-04#section-4.2