Authorization Code Flow


#1

I cannot figure out how to post to the API using my token obtained through an authorization code flow. I send my access_token I received, in the header of my request (Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Ik9pRHN6Q0xkR1c0In0…) and I received:
WWW-Authenticate: Bearer realm=“https://solid.community”, error=“access_denied”, error_description=“Token does not pass the audience allow filter”

When I decode the id_token I received with the access token, I see that the aud and the azp is the client id that the token is for. Without more specific guidance, I am just floundering here. TIA for any help!


#2

Assuming it is a Javascript based web-app, I strongly recommend using solid-auth-client.js and rdflib.js as mentioned in the “Make an app in your lunch break”-tutorial https://solid.inrupt.com/docs/app-on-your-lunch-break and https://solid.inrupt.com/docs/manipulating-ld-with-rdflib. Those libraries take care of all the heavy lifting needed for authentication and working with linked data.

You can see my “learning story” here: My first app - adding resources? - and a similar story here Question about retrieving data


#3

Thanks for the reply. My app is not JavaScript based. Those libraries (solid-auth-client.js and rdflib.js) seem to use a simple login or an Id token. That works if the user will be logged in. My app is server to server so I am attempting to use an auth token.


#4

The token proves to the storage that the app acts on behalf of the user. So even if you run a server-side or command-line app, it will use this login token to communicate with the storage.

There is another way to do this: your app server should host a foaf profille, and in order to “issue” a token to that app, the user edits the .acl file on the storage to list that from now on, not only the user themselves, but also https://cool-app.com/foaf#card has access to that folder. Then, instead of presenting a proof-of-id of the user themselves, the app provides its own proof-of-id, and the ACL on the storage pod allows it access.

As far as I know, there is currently no way to issue bearer tokens in the traditional sense. Some more discussion about this here: Read-only or sub-folder OIDC scopes?


#5

Thanks. So it looks like, for now at least, I will have to do what I was doing with testing, which is to provide write permissions via ACL and use a simple login method, like performLogin in https://github.com/solid/solid-cli/blob/master/src/SolidClient.js#L154 (which is probably not going to be generic enough for general use as I assume servers will have different login pages and field names from eachother).