search

crspybits / SolidAuthSwift

Swift-based authentication for a Solid Pod
MIT License
7 stars 1 forks source link

Can I be assured that an id token (or an access token) from Solid *always* has a sub or a webid claim? #7

Open crspybits opened 3 years ago

crspybits commented 3 years ago

And if only the sub claim is present that it always has the users webid?

crspybits commented 3 years ago

https://solid.github.io/solid-oidc/#tokens-access

The DPoP-bound Access Token payload MUST contain these claims:

webid — The WebID claim MUST be the user’s WebID.
iss — The issuer claim MUST be a valid URL of the IdP instantiating this token.
aud — The audience claim MUST either be the string solid or be an array of values, one of which is the string solid. In the decentralized world of Solid OIDC, the principal of an access token is not a specific endpoint, but rather the Solid API; that is, any Solid server at any accessible address on the world wide web. See also: JSON Web Token (JWT) § section-4.1.3.
iat — The issued-at claim is the time at which the DPoP-bound Access Token was issued.
exp — The expiration claim is the time at which the DPoP-bound Access Token becomes invalid.
cnf — The confirmation claim is used to identify the DPoP Public Key bound to the Access Token. See also: OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) § section-7.
client_id - The ClientID claim is used to identify the client. See also: section 5. Client Identifiers.
crspybits commented 3 years ago

https://solid.github.io/solid-oidc/#tokens-id

The user’s WebID MUST be present in the ID Token as the webid claim.

(Which is curious because I've found that the webid claim is missing in some id tokens).

crspybits commented 3 years ago

https://github.com/solid/webid-oidc-spec#deriving-webid-uri-from-id-token

Makes it clear that sometimes neither the sub nor the webid claim will be present:

If a WebID URI is not found in either the webid or sub claim, the Relying Party should proceed to make an OpenID Connect UserInfo Request, with the appropriate Access Token that it received alongside the ID Token.

crspybits commented 3 years ago

For the issuer https://broker.pod.inrupt.com for an id token, I get:

2021-09-19T14:55:46-0600 debug  : token.claims.sub: Optional("crspybits")
2021-09-19T14:55:46-0600 debug  : token.claims.webid: Optional("https://pod.inrupt.com/crspybits/profile/card#me")

Given, https://github.com/solid/webid-oidc-spec#deriving-webid-uri-from-id-token and the above, it seems clear I need to check the webid first.