@jdgamble555 these are great questions. @jeffz has already provided some really good explanations, and I’ll try to build on those.
One of the more significant differences between Solid apps and a more traditional web application is the separation between the user’s data and the app. If you think about a traditional web application, there is typically an internal database where that data is stored. Even if there is an API for accessing that data, the API tends to be application-specific. With Solid, that model is very different: the app and the data are separate. Basically, your Pod is the database. This means that different apps can use the same data, and because the Solid protocol defines an API, all those apps can read and write this data regardless of where it is stored (provided, of course that the user has appropriate access).
To your specific questions about JWT and identity – @jeffz has already answered much of this, but I’ll try to rephrase some of the answers. This can be a bit complicated, so maybe phrasing it differently will help. In Solid, there are a few different conceptual entities: WebID (Identity), Pod (Storage), Identity Provider (Asserts Identity) and Apps (User-facing Features). It is possible to combine these in different ways or to have them all completely separate. For example, a WebID could be stored in a user’s Pod, but that isn’t a requirement. Also, the Identity Provider may run on the same domain as the Pod, but again, that isn’t a requirement.
In terms of login / identity / JWT, it is important to clarify a few things. First, there is a two-way trust relationship between a User’s WebID and an Identity Provider. That is, the Identity Provider will generate access tokens in the form of JWT containing an identity claim about the agent in possession of that token. Specifically: the JWT will have a webid
claim along with an Issuer (iss
) claim. When a Pod (Storage / Resource Server) validates that token, it will dereference the WebID URL and look for a trust relationshp with the issuing Identity Provider. That way I can’t just craft an otherwise valid JWT that claims to be someone else. That two-way trust is a major building-block for Solid’s security model. In passing, I will add that this all builds on OpenID Connect, so all the security mechanisms from OpenID come into play: authorization code flow, “Proof Key for Code Exchange”. Solid also uses something called Demonstration of Proof of Possession to protect against rogue resource servers from replaying access tokens.
Put simply, an App will retrieve an access token (JWT) from an Identity Provider, not from a Pod (though the two may be co-located). That access token will assert a globally unambiguous identity for the user: a WebID. The App will use that access token to read and write data to one or more Pod servers. From the access token, a Pod server will always know the identity that an agent is claiming. Also, the data that your app writes may or may not be public: your app may store data in an area that may be shared, but that isn’t required.
I hope that helps