Solid-OIDC - Resource Server
Required
-
djangoldp_account.backends.ExternalUserBackend
should check thumbprint and validate DPoP signature -
validating DPoP signature -
validating htu
andhtm
claims in DPoP proof -
djangoldp_account.backends.ExternalUserBackend
currently checks that thesub
(webid) matches theiss
-
djangoldp_account.backends.ExternalUserBackend
should fetch public keys from OP and check access token signature validity
Optional
-
user's must store solid:oidcRegistration
property at their webid (example) -
If the iss claim is different from the domain of the WebID, then the RS MUST check the WebID document for the existence of a statement matching ?webid http://www.w3.org/ns/solid/terms#oidcIssuer ?iss (spec) -
The above will require an extension to the LDPUser
model to store issuers (many-to-many) -
validate jti
to protect against replay attacks -
returning 401
with aWWW-Authenticate
header that informs the Client that a DPoP-bound Access Token is required