npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@solid/access-token-verifier

v2.1.0

Published

Verifies Solid OIDC access tokens via their webid claim, and thus asserts ownership of a WebID.

Downloads

1,089

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

matthieubosquetmatthieubosquetjoachimvhjoachimvhjustinwbjustinwbrubenverborghrubenverborghkjetilkkjetilkcodenamedmitricodenamedmitrijaxoncreedjaxoncreedajacksifiedajacksifiedinrupt_ciinrupt_cinseydouxnseydouxpmcb55pmcb55megothmegothvincenttunruvincenttunrumichielbdejongmichielbdejongvirginiabalseirovirginiabalseirotimbltimblbourgeoabourgeoa

Keywords

SolidOIDCAccess TokenToken VerificationDPoPBearerTokenOAuth

Readme

Solid OIDC Access Token Verifier

Project Solid Test workflow npm package

This library verifies Solid OIDC access tokens via their webid claim, and thus asserts ownership of a WebID.

It conforms to the Solid OIDC specification.

See also: Solid OIDC Primer Request Flow

Supports

  • DPoP Bound Access Tokens
  • Bearer Access Tokens
  • Caching of:
    • WebID Identity Providers
    • Identity Providers JSON Web Key Sets
    • A minimalistic version of DPoP tokens identifiers to mitigate replays otherwise mostly mitigated by the 60 seconds maximum DPoP Token age, should be improved to take a configurable max requests per seconds to avoid overflow of cache before replay. But de facto, if someone really wanted to mitigate this attack, they should plug a cache that can support high numbers of requests. Someone could easily overflow a lru cache by logging lots of requests as themselves before replaying the token. That is if the server can answer fast enough...
  • Custom Identity Verification Classes to extend to specific caching strategies if needed

How to?

Verify Solid Access Tokens with a simple function:

import type { RequestMethod, SolidTokenVerifierFunction } from '@solid/access-token-verifier';
import { createSolidTokenVerifier } from '@solid/access-token-verifier';

const solidOidcAccessTokenVerifier: SolidTokenVerifierFunction = createSolidTokenVerifier();

try {
  const { client_id: clientId, webid: webId } = await solidOidcAccessTokenVerifier(
    authorizationHeader as string,
    {
      header: dpopHeader as string,
      method: requestMethod as RequestMethod,
      url: requestURL as string
    }
  );

  console.log(`Verified Access Token via WebID: ${webId} and for client: ${clientId}`);

  return { webId, clientId };
} catch (error: unknown) {
  const message = `Error verifying Access Token via WebID: ${(error as Error).message}`;

  console.log(message);

  throw new Error(message);
}

The solidOidcAccessTokenVerifier function takes an authorization header which can be an encoded Bearer or DPoP bound access token and optional DPoP parameters.

TODO

  • Further sanitation of inputs? For example a maximum authorization header size. Needs further discussions before resolution.
  • Improve default caching? Assess other libraries that might be used.
  • Evolve the type guards and the type guard library.
  • Allow http over tls on all WebIDs instead of enforcing https as per: https://github.com/solid/authentication-panel/issues/114.
  • ~~Enforce client ID when support is wide enough as per: https://solid.github.io/solid-oidc/#tokens-access~~
  • Enforce azp claim in the next library which should target ID tokens as opposed to Access tokens as per the updated Solid-OIDC spec
  • Enforce DPoP ath claim when support is wide enough as per: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-04#section-4.2