What is the right way to authorize HTTP PUT operations?

I have been trying to upload an image to my Solid POD. If I trace the data browser I can see it does an HTTP PUT of the image data (as expected) - but when I tried the same I got “401 - Unauthorized” even though the previous PUT of a turtle document went through all fine.

In code I used Chrome’s built-in fetch operation (see https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#Uploading_a_file) without luck. So I tried the RDFLIB fetcher.webOperation() instead - and it worked. Why?

Looking at the network traffic, it turns out the RDFLIB fetcher sends both a session cookie and a authorization header (with an ID-token) with the PUT operation - whereas the built-in Chrome fetcher doesn’t send the authorization header, only the session cookie.

So I am curious - what is the right way to authorize requests with the Solid server? Apparently the cookies are not enough. Where in the specs can a find this documented? And where would you get that authorization header ID-token from?


Basically, Chrome doesn’t have OIDC support, only passwords (and certificates), on fetch(). So the rdflib.js uses a version of fetch in solid-auth-client which catches the 401 unauthenticated error and does the right thing.

Oh, you just answered a question I didn’t ask yet:-), cypress kicks up chrome and was failing compared to firefox.

Thanks! So, if i were to do something the fetcher didn’t handle, how would I get to the bearer token to be used?