Latest Threat Research:Malicious dYdX Packages Published to npm and PyPI After Maintainer Compromise.Details
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

@solid/identity-token-verifier

Package Overview
Dependencies
Maintainers
14
Versions
11
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@solid/identity-token-verifier

Verifies Solid access tokens via their WebID claim, and thus asserts ownership of WebIDs.

Source
npmnpm
Version
0.6.0
Version published
Weekly downloads
101
320.83%
Maintainers
14
Weekly downloads
 
Created
Source

Solid Token Verifier

build coverage npm

This library verifies Solid access tokens via their WebID claim, and thus asserts ownership of WebIDs.

It conforms to the Solid Identity specification.

See also: Solid OIDC Primer Request Flow

Supports

  • DPoP Bound Access Tokens
  • Bearer Access Tokens
  • Caching of:
    • WebID Identity Providers
    • Identity Providers JSON Web Key Sets
    • A minimalistic version of DPoP tokens identifiers to mitigate replays otherwise mostly mitigated by the 60 seconds maximum DPoP Token age, should be improved to take a configurable max requests per seconds to avoid overflow of cache before replay. But de facto, if someone really wanted to mitigate this attack, they should plug a cache that can support high numbers of requests. Someone could easily overflow a lru cache by logging lots of requests as themselves before replaying the token. That is if the server can answer fast enough...
  • Custom Identity Verification Classes to extend to specific caching strategies if needed

How to?

Verify Solid Access Tokens with a simple function:

import type { RequestMethod, SolidTokenVerifierFunction } from '@solid/identity-token-verifier';
import { createSolidTokenVerifier } from '@solid/identity-token-verifier';

const solidTokenVerifier: SolidTokenVerifierFunction = createSolidTokenVerifier();

try {
  const { client_id: clientId, webid: webId } = await solidTokenVerifier(
    authorizationHeader as string,
    {
      header: dpopHeader as string,
      method: requestMethod as RequestMethod,
      url: requestURL as string
    }
  );

  console.log(`Verified Access Token via WebID: ${webId} and for client: ${clientId}`);

  return { webId, clientId };
} catch (error: unknown) {
  const message = `Error verifying Access Token via WebID: ${(error as Error).message}`;

  console.log(message);

  throw new Error(message);
}

The solidTokenVerifier function takes an authorization header which can be an encoded Bearer or DPoP bound access token and optional DPoP parameters.

TODO

  • Further sanitation of inputs? For example a maximum authorization header size. Needs further discussions before resolution.
  • Improve default caching? Assess other libraries that might be used.
  • Evolve the type guards and the type guard library.
  • Allow http over tls on all WebIDs instead of enforcing https as per: https://github.com/solid/authentication-panel/issues/114.

Keywords

Token verification
Solid Identity
Access Token
DPoP
OAuth

FAQs

Package last updated on 25 Feb 2021

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

AI Agent Submits PR to Matplotlib, Publishes Angry Blog Post After Rejection

Security News

AI Agent Submits PR to Matplotlib, Publishes Angry Blog Post After Rejection

After Matplotlib rejected an AI-written PR, the agent fired back with a blog post, igniting debate over AI contributions and maintainer burden.

By Sarah Gooding  -  Feb 12, 2026