Authorization Code Flow

I cannot figure out how to post to the API using my token obtained through an authorization code flow. I send my access_token I received, in the header of my request (Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Ik9pRHN6Q0xkR1c0In0…) and I received:
WWW-Authenticate: Bearer realm=“”, error=“access_denied”, error_description=“Token does not pass the audience allow filter”

When I decode the id_token I received with the access token, I see that the aud and the azp is the client id that the token is for. Without more specific guidance, I am just floundering here. TIA for any help!

Assuming it is a Javascript based web-app, I strongly recommend using solid-auth-client.js and rdflib.js as mentioned in the “Make an app in your lunch break”-tutorial and Those libraries take care of all the heavy lifting needed for authentication and working with linked data.

You can see my “learning story” here: My first app - adding resources? - and a similar story here Question about retrieving data

Thanks for the reply. My app is not JavaScript based. Those libraries (solid-auth-client.js and rdflib.js) seem to use a simple login or an Id token. That works if the user will be logged in. My app is server to server so I am attempting to use an auth token.

The token proves to the storage that the app acts on behalf of the user. So even if you run a server-side or command-line app, it will use this login token to communicate with the storage.

There is another way to do this: your app server should host a foaf profille, and in order to “issue” a token to that app, the user edits the .acl file on the storage to list that from now on, not only the user themselves, but also has access to that folder. Then, instead of presenting a proof-of-id of the user themselves, the app provides its own proof-of-id, and the ACL on the storage pod allows it access.

As far as I know, there is currently no way to issue bearer tokens in the traditional sense. Some more discussion about this here: Read-only or sub-folder OIDC scopes?

1 Like

Thanks. So it looks like, for now at least, I will have to do what I was doing with testing, which is to provide write permissions via ACL and use a simple login method, like performLogin in (which is probably not going to be generic enough for general use as I assume servers will have different login pages and field names from eachother).