How to validate access token after authorization is successful?

[peter279k]

As title, I've built my own Solid server and Solid App.

When I enter into the Solid App, do authentication and authorization on Solid Pod server via popup window.

Then it will get the access token on the web browser local storage.

The access token is like as follows:

"rpConfig":{"provider":{"url":"https://electric-data-pod.com:8443/","configuration":{"issuer":"https://electric-data-pod.com:8443","authorization_endpoint":"https://electric-data-pod.com:8443/authorize","token_endpoint":"https://electric-data-pod.com:8443/token","userinfo_endpoint":"https://electric-data-pod.com:8443/userinfo","jwks_uri":"https://electric-data-pod.com:8443/jwks","registration_endpoint":"https://electric-data-pod.com:8443/register","response_types_supported":["code","code token","code id_token","id_token","id_token token","code id_token token","none"],"response_modes_supported":["query","fragment"],"grant_types_supported":["authorization_code","implicit","refresh_token","client_credentials"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256","RS384","RS512","none"],"token_endpoint_auth_methods_supported":["client_secret_basic"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"display_values_supported":[],"claim_types_supported":["normal"],"claims_supported":[],"claims_parameter_supported":false,"request_parameter_supported":true,"request_uri_parameter_supported":false,"require_request_uri_registration":false,"check_session_iframe":"https://electric-data-pod.com:8443/session","end_session_endpoint":"https://electric-data-pod.com:8443/logout"},"jwks":{"keys":[{"kid":"F5_l2eIe2-w","kty":"RSA","alg":"RS256","n":"q5OCNATTLUildb-3HFPV3oVXWVSUoPF1AabjV6mdBEkDmMu2mb-qKrJrKl2iOXSIOQASUFS38OwMhKYed6WUUIgJM4AXAHByqWANou75sgc4FA8ikao1uSNU1tLVavdL3FqOK8X8X3YM6jTG5HQPedcIxHFyqB9MM-GfeRKPWuODetIff-UKcBJrqWPA7y7EbESA8CNFf4t2CdbdVOlJG4nCcXKpOSLeO6NBGkA0gdcT8ai78G-B5BwhLREtYoNy2QvV8nSpvP5D9y2Aath2RENH3GSkE-UW97JNEjpP0XE86FPy-swWpYnkETQTaGgU9HOYXlkXotWXaa91tNwGiw","e":"AQAB","key_ops":["verify"],"ext":true},{"kid":"yzV8LvEJ7fs","kty":"RSA","alg":"RS384","n":"s-BKUDqyQfuRgFrxAwrUSzAw9pG1CqKvmhpLn4f-0rEBaMu3laK194FkvV0C4b2bPSMQhnXo6PM6Y3yFXZR-PnjwpkOwB5_KlpuSmhWILlko83QSWBk3CsH5Ab0wL9Lrta-E3U3-SREflXhAAwgPgYAwBCpLSsfmSalzcU0i-rX6z892I4LWLcb-ij1t-IRGI9U_HzYy6Y6rNbVKY7cBAAARI9VLp0zik1eWKl4y_DZVP9Q-8n6npte0zXhYX5U2WFILYXjla8ns-lmKkVai02R8nH02g9Hmf5obrZl2hbeV_lTh6USNWwUhoPjBp-gyQKd0j-USuTZyQyFvFP9LFw","e":"AQAB","key_ops":["verify"],"ext":true},{"kid":"Jq3dqs-Ybg4","kty":"RSA","alg":"RS512","n":"9oCegpIpjkBwS4oEN5cr0jQpGJQjOTK-j3Jm-KotNPN6lsjbQBrI3c4NJVeZAvHXkyN8iosOgz9L-jDDaxRxKsIm7gAziuWLpJ6rw62NlRaRTC4-WNI3gV3In45OFn_lN3lRhEtkjQQlrP8cN_2W6FE_d4XQhoA7eMrCisOHp-jc62lXR2U6NB6x_6GXB63mMZrwSO1H1KcedU6kA0gCAT2oaOHfAMnuyR5nMj9WhzmiOmw2oIoD8Z_OWjKm-_1ZlJQgbOdN_CFrOLnCmFYpRZamFljv7g5XogTcQDpRaBxnJKrXlaftBT2SUl6p9Al29H5FLwpA0LKSh9XN0Gk5lQ","e":"AQAB","key_ops":["verify"],"ext":true},{"kid":"9r412LTBNho","kty":"RSA","alg":"RS256","n":"wbsnujNR7dsR5T2L-fH01qpSiqNrIgao7-ASkLiteZY9YYs6XbmUWU3FH2QwcQapBiXYmHkgiP6pOe0WScyOPOfuCz-d0Yt9RHWizn6_C7jPZV-z6gq6lOk1GUsvJKoEiuPU-9D4UUNzQjkyJebd9ACPkWhpbHy0MIS52YfJliwXk-rvzmVKhGfOl1zapJf5LAh7egJODS_wTMwj4g1FQNTEq3q6D3uG2MpQ00iWbDZEgGVwhsVWlr2M_oCvLwzpoAUaDSDk89b8y6BHpaNBiW01ShZw-VQma6qlYppcRP9UlSLd29LPTdQ_bwU0IDylPrv1gcEN6FnxfbUhoqwlxw","e":"AQAB","key_ops":["verify"],"ext":true},{"kid":"bdtb9EVD5RE","kty":"RSA","alg":"RS384","n":"79cZrNupr3EvNUx9Ro0VOSozAbhecaSuQ0pbjfaghUuo6DTK1aYuvmP7CJkWlkSx39Wiom5fbTzYBD_OjEvd4LzzXpAr8a5he6zd-FrzZITFvNWCCW3gMGfWoZGBWGAgeNkrrXwdKYF8ia-rexH8U9Md6RhRWzqqidaVYlWXlJItcFnbd8D3aglLnWeGuWPZsCNQ2QZIenTeihfxD7GY1lpd38DM_BeDjfaz0uD8rbG9G0iznclXzSa9hMugp83dIkarmBi_GHUJBlKlkVJWbZTanUqxTUlTd5qGGtDNOwmW0EdCjYum_-PYlpc9RP89F8XmSUrLAyB3FAUWaHc15w","e":"AQAB","key_ops":["verify"],"ext":true},{"kid":"YD5ApOyFGOE","kty":"RSA","alg":"RS512","n":"4Mewl2DIGu7Mm5jEoLz2BJQI_JnCbkFm2qwIGrkV313T9Z-YQbsspzA4BDIKHLNuElr1C1XBW79xphIYl6JeRAMeQMkdy5xWZHcVUTDC9B93t1xLuctNuFrQRG2zdHhsioElrTn1-NJECRONn5sMajvxaSj69i--WrkUw3ba0neqL7KJlayeSQLx0blr3sUAeGBmWeFx9rysYxdFXKwMQqHtXSW0CQSTK6UpfRlj_GQG54W1MjCGI7lsc6pX6g-ModvFscjQqW1WKzbdylN6m0EyvbU0e4enOBTZ1QJmFz9Owiy0dwQTHEKOs9TMqWsUyE4nyVbQVBLEIb7jhejKlQ","e":"AQAB","key_ops":["verify"],"ext":true},{"kid":"fm5T54GBrYU","kty":"RSA","alg":"RS256","n":"6w7vRBtadMJpYbiJVLFk17DGc_CuVhoDAi10q87qTmEoohAynvnkEUmfstCNzBU9adeOmZfiGBB7yN-NX3NdpC__Sou7PEQObXleu9vyTTtD7jRQwr7p_k1mptx-pKa96QJL7PIMMSLO2yxI_5AVWOLzsPlNZNOp0lrwcgHcyo1inqggtS6SXjCHRKrdw18fkN6yn-UGZQn228x40kjsX4VbeIqpr3kXxqvIQi3Y_2yKLiEvUPGW-RogwVKENnUKcNUSZ6qGpL-JQ8QJM86POV5JwbtAaHoE-EUE4ft_MkW1JTuh2A8uHhfVgvh40OafMKG5m1-60hovFaRquG3_tw","e":"AQAB","key_ops":["verify"],"ext":true}]}},"defaults":{"popToken":false,"authenticate":{"redirect_uri":"https://electric-data-pod.com:8443/common/popup.html","response_type":"id_token token","display":"page","scope":["openid"]}},"store":{},"registration":{"client_id":"4af8e9fba14bf08f1a2d8483cda94b12","redirect_uris":["https://electric-data-pod.com:8443/common/popup.html"],"response_types":["id_token token"],"grant_types":["implicit"],"application_type":"web","id_token_signed_response_alg":"RS256","token_endpoint_auth_method":"client_secret_basic","frontchannel_logout_session_required":false,"registration_acce
.......

Then my Solid App back-end will get these access tokens via POST method.

The Solid App back-end will fetch some records then send response to web browser and the web browser will write them to the specific Pod.

My question is: is there any approach to let Solid App back-end validate the Solid Auth Access Token?

Or is it possible to use Solid Auth access token to read/write from Solid App back-end?

Thanks.

[jaxoncreed]

Thanks for building an app!

What you've posted doesn't seem to be an access token. It seems this is the raw JSON from the localstorage solid-auth-client uses internally. This is not intended to be used by anything other than solid-auth-client.

It sounds like you want to do is the oidc "Authorization Code Grant" flow. At the moment solid-auth-client only supports the implicit flow, but we have plans to add other flows in the future.

You can learn more about the flows here: https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864

[peter279k]

Hi @jaxoncreed, thanks for your reply.

At this moment, do you have any temporary approach to validate access token on my Solid App back-end before fetching current user records?

[jaxoncreed]

Unfortunately, you currently need to make requests from the client. Due to the decentralized nature of Solid, the client needs to generate new tokens every time it makes a request to a new resource server. (See more about how this works here https://github.com/solid/webid-oidc-spec/blob/master/application-user-workflow.md)

This is not to say that it is impossible. We are working on the required spec changes to make this possible. (You can join the spec discussion here https://github.com/solid/authentication-panel). Just that we require more spec and implementation work to make this possible.