Now I’m trying to update my code so that it also works for the newest, shiniest, pod.inrupt.com pods. I’m using, the latest Solid OIDC Primer from October 4 2021 as my guide for this.
Next I need to do an authorization request which should include the client_id plus redirect_uri (as specified in the client_id document). When I send this all to https://broker.pod.inrupt.com/authorization it just resonds with a JSON error resonse:
It sounds like you are using static client id, is that right? i.e., https://hochstenbach.inrupt.net/public/web-solid-auth.jsonld#this. Does pod.inrupt.com support that? So far all my use has been with dynamic registration.
That’s an excellent question. I’d too like to know the answer. I’d really like to have a document/page that explains the differences across different platforms/servers.
That’s an excellent question. Supported features should be discoverable through the .well-known/openid-configuration document. The Solid-OIDC specification mandates that an Identity Provider should specify its support for the specification required features by including "solid_oidc_supported": "https://solidproject.org/TR/solid-oidc" in its configuration document. However, the specification being still a moving target, this doesn’t solve all of the issues. That’s where the automated test suite comes into play: hopefully, we can write tests for each specification feature, and publish the results so that it’s clear what is supported by whom. In the meantime, we may need to manually document this, I opened a related specification issue to see what can be done.
All this to say that yes, Client ID documents are supported by https://broker.pod.inrupt.com/authorization. You’ll notice that the error message mentions that the client is remote, which is specific to Client ID documents, so the Identity Provider understood the intent, but it looks like the identifier doesn’t match the expected shape. Nothing jumps at me looking at the client document, but could you provide the whole request to the authorization endpoint for additional context ? For instance, can you confirm that the provided redirec_uri matches exactlyhttp://localhost:3000/callback (no additional slash or query parameters) ?
Thanks for this clarification! I’ve tested again and it all runs smoothly now. Maybe a temporary hiccup. It would be great to have a clarification in in the documents (human,machine readable) which kinds of clients are supported by an Pod/
Indeed, also at my end I have again the same issue with the request that worked 5 days ago. It seems to be a temporary issue at the broker service at Inrupt.
I’ve also got dynamic registration working fine but not client id documents.
My understanding was that the server only checks that the document obtained when fetching the client id includes the redirect_uri.
Both the examples above seem to satisfy this.
I assume this means that the server either checks other properties too, has other validation requirements, or somehow failed to retrieve the client identifier document.
It looks like community-server (WebIdAdaptorFactory) checks the context and client_id too.
It then uses the oidc-provider library, which might have additional requirements?
I also had trouble with both local and non-local redirect_uris, but would understand if local redirects were prohibited.
In my case I added a debug line in client_schema.js of node-oidc-provider, which is imported by the community server and found that the issue was that the webid scope is not yet supported.
For @hochstenbach that doesn’t seem to be the problem given webid is already omitted.
For @crspybits that might to the trick (while recognising that omitting the webid scope might cause problems down the line)
I can confirm solidweb.me and broker.pod.inrupt.com both successfully redirected me to the login screen, i.e. the client identifier document was accepted.
solidweb.me fails too, but the output is more interesting to me:
It could be in this case (and perhaps with broker.pod.inrupt.com too?) it is assuming the client is web based. i.e., my redirect URI is
biz.SpasticMuffin.Neebla.solidSignIn:/config
For mobile applications and specifically, iOS, there are different constraints on the redirect URI. I’m going to try changing the redirect URI at least for a test and see what happens.
It might be worth reporting to CSS github if non-web redirects are not supported, and to Inrupt if CSS supports the client id document and ESS doesn’t.
When I go to https://broker.pod.inrupt.com/ and I try to login I get the error: {"error":"invalid_client","error_description":"Invalid client_id"}. Any idea?
Edit: Before I was using Chrome so I tried another browser (Firefox) and there it is working…
Before I was also getting the error when I was browsing directly to the https://broker.pod.inrupt.com page, now I get the error only in Chrome (Firefox still works) when running a simple application where I’m using some solid-ui-react components:
Could you share the sequence of network interactions between the application and https://broker.pod.inrupt.com ? From the code snippet you shared, it looks like you’re not using a Client Identifier (an IRI to a JSON-LD document containing client information), so your client should go though Dynamic Client Registration. You should see a request to the identity Provider .well-known/oidc-configuration document, followed by a POST to a /registration endpoint. Then, the window should be redirected to the Identity Provider for you to log in, and finally there should be a POST to the /token endpoint. This last POST should have a base-64 value in the Authorization header. If you decode the value, it should follow the pattern <client id>:<client secret>, with the id and secret matching the values returned in the response from the /registration endpoint. Can you confirm that it is the case ?
If not, one thing to note if that the Inrupt React components expect to be wrapped in the SessionProvider component (see the storybooks examples or the doc’s sample app). Not doing so may still work because the default session is used in both cases, but that may be causing your issue.