Skip to content

Authentication

Jump to bottom
Aaron Coburn edited this page Oct 27, 2017 · 14 revisions

There are three types of Authentication currently supported in Trellis: Anonymous Auth, Basic Auth and Token-based Auth. Any combination of these authentication types is possible, including enabling all or none of them.

JWT Authentication

JWT Authentication is a token-based authentication mechanism that consists of a set of claims about the user on whose behalf the request is being made. The request is digitally signed with a shared key, known by the trellis server and the server that generates the tokens. This is the recommended way to authenticate users.

In order for Trellis to authenticate users with JWT, it needs to be able to derive a WebID for a user. The best way to do this is by providing a webid claim as per the Solid WebID-OIDC specification. Alternately, a client can provide a standard sub claim with a URL identifying a user or a combination of iss (issuer) and sub (subject) to form a webid. For example:

{
    "webid" : "http://example.com/username",
    "sub" : "username",
    "iss" : "http://example.com/"
}

Anonymous Authentication

This is a mechanism for allowing anonymous users to interact with Trellis. Assuming that no Authorization header is sent in a request, the effective user will be http://www.trellisldp.org/ns/trellis#AnonymousUser. If WebAC authorization is enabled, then one's ability to read from or write to the server will be dependent on the resource's WebAC configuration.

Basic Authentication

This is a mechanism by which users login with a username and password. This means that the Trellis system will need to manage these usernames and passwords (Note: it is recommended that this mechanism be reserved for a small number of (possibly) administrative users). This relies on an Authorization header that includes a base64-encoded username:password string. When used over simple HTTP, this is an inherently insecure protocol.

The users file that is consulted when a client logs in takes the following form:

username : password : webid

where each field is separated by a colon (:). The webid should be a URL, uniquely identifying the user.

Clone this wiki locally