POD Authentification from another server (not solid)


#1

Hi everyone,

I would like to know if a custom application web service can perform login action on a POD if it known the POD credentials without being redirect to POD login page.

Thanks for your help


#2

Hi @mguiral, that’s an excellent question. So, part of the answer is going to be - what do you mean by an app performing a login action? Will the app have its own WebID, and so be present in various access control lists? Or would you like the app to login on behalf of a particular user?


#3

Hi @codenamedmitri,
First thanks a lot for your previous answer. I try to create an application that have some informations stored into a database and other informations stored into the organization POD. So i will have an middleware server that must logged into the organization POD. This server knows the organization credentials.

Do you think my scenario is possible?

Thanks for your help


#4

Got it. So, the easy (though not exactly optimal) short-term answer is to have the application log in using those credentials, via the /login endpoint, and then just use the obtained cookie with its requests.

For an example of how to do that in code, take a look at the performLogin function in solid-cli (that function uses username + password credentials, but the same logic would apply with a WebID TLS certificate as credential).

The proper way to do this would be… well, it depends. There’s two basic options that come with trade-offs:

1 - User Token approach

A long-lived WebID-OIDC access token, which is a mechanism where a user delegates access to the app. This is a common pattern with app delegation; for example, Facebook calls this User Access Token. The benefit of this approach is that the app itself does not store the user credentials. The downside is that a human has to be involved (at least during app setup) to enter in their credentials. This is kind of like whole-disk-encryption – it’s great, and secure, but it’s annoying that a sysadmin has to be present every time the server reboots (to enter in the encryption password). This option can be done right now, with no alterations to Solid Server. (although we can probably add a nicer UI for a developer to register their own app).

2 - App Token approach

Giving an app its own credentials, its own identity. For example, Google does this with their Service Accounts (see their guide on Server to Server Applications), and Facebook does this with App Access Tokens. The benefit of this approach is - again, the app does not store user credentials, and it’s possible to have fine-grained permissions just for the app, separate from the user. But that’s also the downside, since you have to modify your ACLs to specifically give access to the app. (Notice that both Google and Facebook specifically limit what an app access token can do, it has many fewer privileges than a user token.)


#5

Thanks a lot for the anwser it save my life.
Unfortunately the solid cli works fine with inrupt pod but not with my solid server pods. It must be an configuration mistake