Hi Alexandre, Yes, you could run a service inside your network that is trusted by your other services to parse and validate the bearer token. You could for instance implement that bearer-token-checker service in NodeJS, using https://github.com/inrupt/wac-ldp/blob/master/src/lib/auth/determineWebIdAndOrigin.ts#L62. Our wac-ldp module exposes a function that checks several things: * which webId does the bearer token claim to prove user identity for * which origin was that proof of user identity issued to * was this proof of identity signed correctly by the IDP of the user * in case an origin header is present (i.e., for web apps), does it match the origin to which the proof was issued It should be quite easy to run that code in a micro-service, I would be excited to help you set that up! Cheers, Michiel. On Thu, Jul 11, 2019 at 4:47 AM Alexandre Bourlier <alex@startinblox.com> wrote: > Hi Dmitri, > Hi everyone, > > We are implementing the WebID-OIDC spec to authenticate our users. > > We currently have two applications that we would like to authenticate via > WebID-OIDC : > - the JS app that is running in the browser > - the Prosody XMPP server > and probably more to come. This forces us to replicate steps 6 and 7 of > the spec wherever the `ID token` validation happens. > > *My question is : is it OK to implement a web service that will allow us > to factorize this code ? * > > We could call that web service, passing it the `id token` and any relevant > parameters, and it would respond with the `webid` if the token was valid, > or with an explicit error message if it wasn't. > > Sounds like a good idea to be but I might be missing something. > Your validation that this architecture would work and be WebID-OIDC > compliant would help us decide in which direction we go. > > All the best ! > > -- > > Alexandre BOURLIER > 06 51 71 08 21 > https://happy-dev.fr <http://happy-dev.fr> > https://startinblox.com >
Received on Friday, 12 July 2019 09:32:50 UTC