slips

SLIP-82

Solid PKI Auth

draft mandatory author:melvincarvalho

This SLIP describes an authorization protocol for HTTP servers using Solid authentication headers to authenticate a WebID. It provides a baseline PKI system, as used in SolidOS by which all solid lite servers can authenticate cross origin.

Header Generation

Solid PKI auth sends a header where the content is the WebID of the user. The WebID is a unique identifier for a user in the Solid ecosystem.

The id is a SHA256 hash of the serialized event. The serialization takes the UTF-8 JSON-serialized string of the event structure without whitespace or line breaks. The event structure includes:

  1. An initial 0 (as a number),
  2. The user’s public key (as a lowercase hex string),
  3. The created_at timestamp (as a number),
  4. The kind set to 27235 to be compatible with other libraries,
  5. The tags field (as an array of arrays of strings, non-null),
  6. The content, which for SLIP-82, is the WebID of the user (as a string).

Signature

Each user possesses a keypair. The signature of the event follows the Schnorr signatures standard for the secp256k1 curve.

The signature ensures the event’s authenticity and integrity, proving that the user who owns the public key approves of the event’s content and that the event has not been tampered with.

Example Header

An example of how an SLIP-82 event could be represented is:

{
    "id": "a generated SHA256 hash based on the serialized event",
    "pubkey": "a user's public key in lowercase hex",
    "created_at": 1682327852,
    "content": "user's WebID",
    "kind": 27235,
    "tags": [
        ["u", "uri to change"],
        ["method", "PUT"]
    ],
    "sig": "a Schnorr signature corresponding to the event"
}

Server Validation

Servers should validate the event by ensuring:

  1. The event.id matches the SHA256 hash of the serialized event.
  2. The created_at is within an acceptable timeframe (typically 60 seconds).
  3. The WebID in the content is valid and corresponds to the authenticated user.

Authorization Header

The event is transmitted via the HTTP Authorization header, using a scheme appropriate for Solid authentication.

Example HTTP Authorization header:

Authorization: Solid <Base64 encoded event>

Test Vectors

TBD

Reference Implementations

There are no reference implementations provided for SLIP-82 at this time. Implementers are encouraged to integrate Solid authentication mechanisms in their HTTP services according to the principles outlined in this SLIP.