Authorization Code Flow

dconorozzo · December 3, 2018, 4:12pm

I cannot figure out how to post to the API using my token obtained through an authorization code flow. I send my access_token I received, in the header of my request (Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Ik9pRHN6Q0xkR1c0In0…) and I received:
WWW-Authenticate: Bearer realm=“https://solid.community”, error=“access_denied”, error_description=“Token does not pass the audience allow filter”

When I decode the id_token I received with the access token, I see that the aud and the azp is the client id that the token is for. Without more specific guidance, I am just floundering here. TIA for any help!

JornWildt · December 3, 2018, 7:24pm

Assuming it is a Javascript based web-app, I strongly recommend using solid-auth-client.js and rdflib.js as mentioned in the “Make an app in your lunch break”-tutorial https://solid.inrupt.com/docs/app-on-your-lunch-break and https://solid.inrupt.com/docs/manipulating-ld-with-rdflib. Those libraries take care of all the heavy lifting needed for authentication and working with linked data.

You can see my “learning story” here: My first app - adding resources? - and a similar story here Question about retrieving data

dconorozzo · December 3, 2018, 8:23pm

Thanks for the reply. My app is not JavaScript based. Those libraries (solid-auth-client.js and rdflib.js) seem to use a simple login or an Id token. That works if the user will be logged in. My app is server to server so I am attempting to use an auth token.

michielbdejong · December 5, 2018, 10:18am

The token proves to the storage that the app acts on behalf of the user. So even if you run a server-side or command-line app, it will use this login token to communicate with the storage.

There is another way to do this: your app server should host a foaf profille, and in order to “issue” a token to that app, the user edits the .acl file on the storage to list that from now on, not only the user themselves, but also https://cool-app.com/foaf#card has access to that folder. Then, instead of presenting a proof-of-id of the user themselves, the app provides its own proof-of-id, and the ACL on the storage pod allows it access.

As far as I know, there is currently no way to issue bearer tokens in the traditional sense. Some more discussion about this here: Read-only or sub-folder OIDC scopes?

dconorozzo · December 5, 2018, 3:12pm

Thanks. So it looks like, for now at least, I will have to do what I was doing with testing, which is to provide write permissions via ACL and use a simple login method, like performLogin in https://github.com/solid/solid-cli/blob/master/src/SolidClient.js#L154 (which is probably not going to be generic enough for general use as I assume servers will have different login pages and field names from eachother).

Topic		Replies	Views
Accessing SOLID pod from a mobile application	30	4761	July 22, 2021
Authorizing requests using an indentity from a different provider Build a Solid App	7	575	June 20, 2021
An application can easily get around apps permissions Solid Specification	17	1787	May 24, 2020
New 401 Unauthorized access	13	1264	March 20, 2022
WebApp authentication and backend authentication	3	373	April 7, 2023

Authorization Code Flow

Related topics