Open crspybits opened 3 years ago
https://solid.github.io/solid-oidc/#tokens-access
The DPoP-bound Access Token payload MUST contain these claims:
webid — The WebID claim MUST be the user’s WebID.
iss — The issuer claim MUST be a valid URL of the IdP instantiating this token.
aud — The audience claim MUST either be the string solid or be an array of values, one of which is the string solid. In the decentralized world of Solid OIDC, the principal of an access token is not a specific endpoint, but rather the Solid API; that is, any Solid server at any accessible address on the world wide web. See also: JSON Web Token (JWT) § section-4.1.3.
iat — The issued-at claim is the time at which the DPoP-bound Access Token was issued.
exp — The expiration claim is the time at which the DPoP-bound Access Token becomes invalid.
cnf — The confirmation claim is used to identify the DPoP Public Key bound to the Access Token. See also: OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) § section-7.
client_id - The ClientID claim is used to identify the client. See also: section 5. Client Identifiers.
https://solid.github.io/solid-oidc/#tokens-id
The user’s WebID MUST be present in the ID Token as the webid claim.
(Which is curious because I've found that the webid claim is missing in some id tokens).
https://github.com/solid/webid-oidc-spec#deriving-webid-uri-from-id-token
Makes it clear that sometimes neither the sub nor the webid claim will be present:
If a WebID URI is not found in either the webid or sub claim, the Relying Party should proceed to make an OpenID Connect UserInfo Request, with the appropriate Access Token that it received alongside the ID Token.
For the issuer https://broker.pod.inrupt.com for an id token, I get:
2021-09-19T14:55:46-0600 debug : token.claims.sub: Optional("crspybits")
2021-09-19T14:55:46-0600 debug : token.claims.webid: Optional("https://pod.inrupt.com/crspybits/profile/card#me")
Given, https://github.com/solid/webid-oidc-spec#deriving-webid-uri-from-id-token and the above, it seems clear I need to check the webid first.
And if only the
sub
claim is present that it always has the users webid?