update to DPoP authentication. Legacy being deprecated.

[ewingson]

Solid recently had an update from legacy auth to the use of DPoP auth.

We noticed that your app still is using the old auth.

We'd like to encourage you to switch to the new auth using the Demonstrating Proof of Posession technology.

Our motivation for the update was using the standard OIDC-way.

• CSS is and will only use DPoP.
• For a transition period NSS is able to use both legacy and DPoP.
• SolidOS has been migrated and only uses DPoP.

Javascript libraries using the new authentication methods include :

• Inrupt's solid-client-authn-browser for the browser and solid-client-authn-node.
• and solid-node-client for nodejs.
• To obtain a token for nodejs app login, you will also need Inrupt's generate-oidc-token.

Some simple examples of javascript app using the DPoP auth can be found here

• https://github.com/0dataapp/hello/tree/main/solid.
• or https://github.com/jeff-zucker/solid-ide (simple migration).

The list of apps using the new DPoP authorization can be followed here dpop-status.

Just let us know if we can assist you on switching your app at https://gitter.im/solid/app-development or https://forum.solidproject.org

From solid team

[Otto-AA]

Thanks for reaching out!

I guess the only required change would be to update solid-file-client and solid-auth-client, as all the API calls are done through these libraries (see ApiHandler.ts).

If solid-file-client and solid-auth-client are updated, I could take a look again to see if it's that easy. If it's not that easy, I likely won't change it myself but would welcome a PR or fork (I sadly don't have much time and haven't been active with Solid, so I don't actively maintain this repo anyway :confused: ).

[ewingson]

thanx for your reply. I am working on https://github.com/ewingson/solid-file-client/tree/try_v2b , of which you were the original author. it was no big thang so far. though, I have no idea, what additionally needs to be changed in solid-auth-client.

thank you for your contributions and your time, for now I will mark it as "won't fix". but maybe (as solid-file-client-demo is my first project) I would choose fixing this as my second project.

(it's just the demo I work on)

[bourgeoa]

@ewingson this app is a very nice one and it will be top if you could manage to add DPoP and not only migrate to DPoP. The first step will be migrate I suppose. There are good reason in such an app to offer the possibility to choose Auth method like in media-kraken.

[ewingson]

I tend to think in very small steps. when I have solved https://github.com/jeff-zucker/solid-file-client/pull/219 I can imagine to give the solid-filemanager some TLC

[Otto-AA]

I've switched to the @inrupt/solid-client-authn-browser library in this commit: https://github.com/Otto-AA/solid-filemanager/commit/5b1937e864dff6773da69808014f195672a89f0d

The UI is not perfect, but for developers it should work (you have to manually enter the OIDC issuer and on page (re)load it always redirects to the home page because of the session restore)

[bourgeoa]

@Otto-AA Thank you very much. Apparently it was not so easy. I make it run locally with success on CSS https://solidweb.me

Just a point the link https://otto-AA.github.io/solid-filemanager strangely do not load the latest version but the old one.

[Otto-AA]

Yes, that's a bug with how I implemented the service worker (#26). You can delete the service worker from your browser (eg something like about:serviceworkers in FF) and then reload the page. In the console you can see which version it loaded