Skip to content

WebID authentication

Jump to bottom Edit New page
Ruben Taelman edited this page Apr 8, 2020 · 3 revisions

Use HTTPS and WebID

The server can be configured to authenticate clients through WebID. WebID uses HTTPS and SSL certificates to create a trusted peer network.

Server

Create WebID, keys and certificates

To secure your server using HTTPS, you need certificates. To generate these, use the ./make-server-certificates.sh script we included in the server software under the keys folder. Pay close attention to enter the correct information for your domain! The first argument of the script takes the FQDN (domain name) of your server, the second argument the port on which the server runs, and the third to sixth arguments the country, state, locale, and organization, respectively. For example:

./make-server-certificates.sh example.test.iminds.be \
8900 BE Oost-Vlaanderen Ghent iMinds

Alternatively, you could also generate the certificates manually, as follows:

Create the CA certificate

You'll need a Root Certificate Authority (private key) to sign the certificates of trusted clients.

openssl genrsa \
  -out certs/ca/my-root-ca.key.pem \
  2048

Self-sign your Root Certificate Authority by creating a certificate request. Since this is private, the details can be anything you like.

openssl req \
  -x509 \
  -new \
  -nodes \
  -key certs/ca/my-root-ca.key.pem \
  -days 3652 \
  -out certs/ca/my-root-ca.crt.pem \
  -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"

Create a server certificate

Create a private key to create certificates.

openssl genrsa \
  -out certs/server/my-server.key.pem \
  2048

Create a certificate request for your server.

openssl req -new \
    -key certs/server/my-server.key.pem \
    -out certs/tmp/my-server.csr.pem \
    -subj "/C=US/ST=Utah/L=Provo/O=ACME Service/CN=example.com"

Finally, sign the request from your server with your Root CA.

openssl x509 \
    -req -in certs/tmp/my-server.csr.pem \
    -CA certs/ca/my-root-ca.crt.pem \
    -CAkey certs/ca/my-root-ca.key.pem \
    -CAcreateserial \
    -out certs/server/my-server.crt.pem \
    -days 1095

Configure the server

The server can be easily configured to use HTTPS in combination with WebID like so.

{
  "protocol": "https",
  "sslKey": "keys/certs/server/my-server.key.pem",
  "sslCa": ["keys/certs/server/my-root-ca.crt.pem"],
  "sslCert": "keys/certs/server/my-server.crt.pem"
}

With this configuration, the server will use WebID Authentication over TLS to authenticate trusted clients. Make sure the client's certificate is signed by your Root CA beforehand.

Client

Create a WebID

A WebID is an RDF file that describes the social profile of you or your organization. It is published under a unique URI, which is used for identification and authentication.

For instance, the WebID of a person called Bob can look like this:

@prefix foaf: <http://xmlns.com/foaf/0.1/> .

<> a foaf:PersonalProfileDocument ;
   foaf:maker <#me> ;
   foaf:primaryTopic <#me> .

<#me> a foaf:Person ;
   foaf:name "Bob" ;
   foaf:knows <https://example.edu/p/Alice#MSc> ;
   foaf:img <https://bob.example.org/picture.jpg> .

For an organization, the document looks similar as, for instance, :

@prefix foaf: <http://xmlns.com/foaf/0.1/> .

<> a foaf:PersonalProfileDocument ;
   foaf:maker <#webid> ;
   foaf:primaryTopic <#webid> .

<#webid> a foaf:Organization ;
   foaf:name "W3C" ;
   foaf:img <https://www.w3.org/2008/site/images/logo-w3c-mobile-lg> .

Create a client certificate including WebID

First, create a private key to create certificates.

openssl genrsa \
  -out certs/client/my-app-client.key.pem \
  2048

Create a SSL client certificate that includes your WebID in the subjectAltName. Don't forget to correctly fill in the Country (C), Locale (L), Organization (O) and Canonical Name (CN). Also remember to escape () the forward slashes in the subjectAltname URI.

# Create a trusted client cert
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl req -new \
  -key certs/client/my-app-client.key.pem \
  -out certs/tmp/my-app-client.csr.pem \
  -subj "/C=US/ST=Utah/L=Provo/O=ACME App Client/CN=client.example.net/subjectAltName=uniformResourceIdentifier:https://bob.example.org/profile#me"

Add your public key to the WebID

Additionally, add your public key to the WebID document.

<#webid> cert:key [ a cert:RSAPublicKey;
                cert:modulus "00cb24ed85d64d794b..."^^xsd:hexBinary;
                cert:exponent 65537 ] .

You need the modulus and exponent. To get them, execute the following commands:

modulus:

openssl rsa -in certs/client/my-app-client.key.pem -modulus -noout

exponent:

openssl rsa -in certs/client/my-app-client.key.pem -text -noout | awk '/Exponent/ { print $2 }'

Become a trusted peer for the server.

Exchange your certificate request with the server so it can sign it. To add a client to your pool of trusted peers, you must collect and sign its certificate before communicating. After signing, you return the certificate to the client.

openssl x509 \
  -req -in certs/tmp/my-app-client.csr.pem \
  -CA certs/ca/my-root-ca.crt.pem \
  -CAkey certs/ca/my-root-ca.key.pem \
  -CAcreateserial \
  -out certs/client/my-app-client.crt.pem \
  -days 1095

To test your own server setup from the same machine, you can generate trusted client certificates using the ./make-trusted-client-certificates.sh script we included in the server software under the keys folder. The first argument of the script takes the FQDN (domain name) of your server, the second argument the WebID of the client, and the third to sixth arguments the country, state, locale, and organization, respectively. For example:

./make-trusted-client-certificates.sh combust.test.iminds.be \
"http:\/\/combust.test.iminds.be\/combusttestclient.ttl#webid" \
BE Oost-Vlaanderen Ghent iMinds

To test the setup, import the client certificates keys/certs/my-app-client.crt.pem and keys/certs/my-app-client.p12 into your browser. Just make sure the client’s WebID includes the correct modulus, which you can obtain with the following command:

openssl rsa -in keys/certs/client/my-app-client.key.pem -modulus -noout

Configure the client

The client can the be easily configured to use HTTPS in combination with WebID like so. Note that you can add certificates for each data source separately.

{
  "ssl": {
     "https://localhost:8900/testdata": {
        "key": "certs/client/my-app-client.key.pem",
        "cert": "certs/client/my-app-client.crt.pem"
      }
   }
}

Make sure your WebID is online so the server is able to download it.

When querying, it is possible that your machine doesn’t accept self-signed certificates, in which case you need to tell it to allow that:

export NODE_TLS_REJECT_UNAUTHORIZED="0"
Add a custom footer
Add a custom sidebar
Clone this wiki locally