draft
mandatory
author:melvincarvalho
This SLIP describes an authorization protocol for HTTP servers using Solid authentication headers to authenticate a WebID. It provides a baseline PKI system, as used in SolidOS by which all solid lite servers can authenticate cross origin.
Solid PKI auth sends a header where the content
is the WebID of the user. The WebID is a unique identifier for a user in the Solid ecosystem.
The id
is a SHA256 hash of the serialized event. The serialization takes the UTF-8 JSON-serialized string of the event structure without whitespace or line breaks. The event structure includes:
0
(as a number),created_at
timestamp (as a number),kind
set to 27235 to be compatible with other libraries,tags
field (as an array of arrays of strings, non-null),content
, which for SLIP-82, is the WebID of the user (as a string).Each user possesses a keypair. The signature of the event follows the Schnorr signatures standard for the secp256k1
curve.
The signature ensures the event’s authenticity and integrity, proving that the user who owns the public key approves of the event’s content and that the event has not been tampered with.
An example of how an SLIP-82 event could be represented is:
{
"id": "a generated SHA256 hash based on the serialized event",
"pubkey": "a user's public key in lowercase hex",
"created_at": 1682327852,
"content": "user's WebID",
"kind": 27235,
"tags": [
["u", "uri to change"],
["method", "PUT"]
],
"sig": "a Schnorr signature corresponding to the event"
}
Servers should validate the event by ensuring:
event.id
matches the SHA256 hash of the serialized event.created_at
is within an acceptable timeframe (typically 60 seconds).content
is valid and corresponds to the authenticated user.The event is transmitted via the HTTP Authorization
header, using a scheme appropriate for Solid authentication.
Example HTTP Authorization header:
Authorization: Solid <Base64 encoded event>
TBD
There are no reference implementations provided for SLIP-82 at this time. Implementers are encouraged to integrate Solid authentication mechanisms in their HTTP services according to the principles outlined in this SLIP.