Usage of as_uri WWW-Authenticate parameter

wdantuma · March 30, 2023, 5:24am

Are there actually implementations which implemented the current solid OIDC specification ?

It looks like both CSS and NSS ( Inrupt) are not returning an WWW-Authenticate header with an as_uri parameter while the Solid OIDC spec states it is a MUST.

A_A · March 30, 2023, 8:53am

At least CSS has implemented it. I don’t know how it should work, but you can look through the code and issues by searching on their repo, eg Search · WWW-authenticate · GitHub

zwifi · April 10, 2023, 8:59am

Note that NSS isn’t an Inrupt product, it is a legacy community project that preceded CSS.

The Inrupt product, ESS (for Enterprise Solid Server) implements the latest Solid-OIDC, and returns an UMA-compliant WWW-Authenticate header with an as_uri parameter on unauthenticated requests. If you have a Pod on Podspaces, you can use any REST client to check this by issuing a GET request to your Pod root.

wdantuma · April 11, 2023, 10:00am

Thx for the answers.

I was tracing a podbrowser session to my podspaces pod and was expecting to see the 401 on the requests to my pod.

But with the first requests the authorization ( access token) and dpop headers where already sent.

I should probably rephrase the question:

Based on what information does podbrowser decide to already sent the access token ? Usually this is based on the audience claim ( base url) , but in this case the audience is “solid”

zwifi · April 11, 2023, 11:51am

Podbrowser is using @inrupt/solid-client-authn-browser, so what is relevant to your question is the behaviour of the library. For the time being, it does not implement reactive authorization, where an unauthenticated request is sent in order to discover authentication mechanisms based on the WWW-Authenticate header of the 401 response. Instead, it implements the legacy behaviour that was in place before the current version of then Solid-OIDC specification, namely it relies on the Resource Server accepting the Access Token issued by the OpenId Provider. In other words, it implements preemptive authorization, by sending a token along the request without the initial round-trip. This legacy behavior is currently supported by all major Solid Server implementations, and it isn’t mutually exclusive with the mechanism described in Solid-OIDC, so there is no plan I’m aware of to remove this mechanism in the short term. We will be working in the future on implementing reactive authentication in @inrupt/solid-client-authn-*.

Does that answer your question?

wdantuma · April 11, 2023, 12:13pm

Yes it does, thank you

Topic		Replies	Views
Authorizing requests using an indentity from a different provider Build a Solid App	7	525	June 20, 2021
Inrupt pod login complains about an invalid_client Solid App Development FAQs	18	2297	April 11, 2022
Solid Community Server - Bad Request / 400	2	503	December 11, 2021
Solid Pod with JWT Verification	21	1179	August 23, 2021
Solid OIDC Primer works great for Inrupt pods, but DPoP rejects IAT on Community Solid Server Developer Experience	4	42	April 18, 2024

Usage of as_uri WWW-Authenticate parameter

Related Topics