Home Original page

JavaScriptSolidServer/docs/authentication.md at gh-pages · JavaScriptSolidServer/JavaScriptSolidServer

Simple Tokens (Development)

Use the token returned from pod creation:

curl -H "Authorization: Bearer YOUR_TOKEN" http://localhost:3000/alice/private/

Built-in Identity Provider (v0.0.12+)

Enable the built-in Solid-OIDC Identity Provider:

With IdP enabled, pod creation requires email and password:

curl -X POST http://localhost:3000/.pods \
  -H "Content-Type: application/json" \
  -d '{"name": "alice", "email": "alice@example.com", "password": "secret123"}'

Response:

{
  "name": "alice",
  "webId": "http://localhost:3000/alice/#me",
  "podUri": "http://localhost:3000/alice/",
  "idpIssuer": "http://localhost:3000",
  "loginUrl": "http://localhost:3000/idp/auth"
}

OIDC Discovery: /.well-known/openid-configuration

Programmatic Login (CTH Compatible)

For automated testing and scripts, use the credentials endpoint:

curl -X POST http://localhost:3000/idp/credentials \
  -H "Content-Type: application/json" \
  -d '{"email": "alice@example.com", "password": "secret123"}'

Response:

{
  "access_token": "...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "webid": "http://localhost:3000/alice/#me"
}

For DPoP-bound tokens (Solid-OIDC compliant), include a DPoP proof header.

Passkey Authentication (v0.0.77+)

Enable passwordless login with WebAuthn/FIDO2:

How it works:

  1. User logs in with username/password
  2. Prompted to add a passkey (Touch ID, Face ID, security key)
  3. Future logins: tap "Sign in with Passkey" → biometric → done!

Benefits:

  • Phishing-resistant (bound to domain)
  • No passwords to remember or leak
  • Works on mobile and desktop

Passkeys are stored per-account and work across devices via platform sync (iCloud Keychain, Google Password Manager, etc.).

Schnorr SSO (v0.0.79+)

Sign in with your Nostr key using NIP-07 browser extensions:

How it works:

  1. User clicks "Sign in with Schnorr" on the login page
  2. NIP-07 extension (Podkey, nos2x, Alby) signs a NIP-98 auth event
  3. Server verifies BIP-340 Schnorr signature
  4. User authenticated via linked did:nostr identity

Requirements:

  • Account must have a did:nostr:<pubkey> WebID linked
  • User needs a NIP-07 compatible browser extension

Benefits:

  • No passwords - cryptographic authentication
  • Works with existing Nostr identity
  • Single sign-on across Solid and Nostr ecosystems

Solid-OIDC (External IdP)

The server also accepts DPoP-bound access tokens from external Solid identity providers:

curl -H "Authorization: DPoP ACCESS_TOKEN" \
     -H "DPoP: DPOP_PROOF" \
     http://localhost:3000/alice/private/

WebID-TLS (Client Certificates)

For backend services, CLI tools, and automated agents that need non-interactive authentication:

jss start --ssl-key key.pem --ssl-cert cert.pem --webid-tls

How it works:

  1. Client presents X.509 certificate during TLS handshake
  2. Certificate's SubjectAlternativeName contains a WebID URI
  3. Server fetches the WebID profile
  4. Server verifies the certificate's public key matches one in the profile

Testing with curl:

# Generate self-signed cert with WebID in SAN
openssl req -x509 -newkey rsa:2048 -keyout client-key.pem -out client-cert.pem -days 365 \
  -subj "/CN=Test" -addext "subjectAltName=URI:https://example.com/alice/#me" -nodes

# Make authenticated request
curl --cert client-cert.pem --key client-key.pem https://localhost:8443/alice/private/

Profile requirement: Your WebID profile must contain the certificate's public key:

@prefix cert: <http://www.w3.org/ns/auth/cert#> .

<#me> cert:key [
    a cert:RSAPublicKey;
    cert:modulus "abc123..."^^xsd:hexBinary;
    cert:exponent 65537
] .

Use cases:

  • Enterprise backend services with existing PKI
  • Server-to-server communication
  • CLI tools and scripts
  • IoT devices with embedded certificates