1 files changed, 54 insertions, 0 deletions

diff --git a/doc/manual.html b/doc/manual.html
index 51d524b..d010685 100644
--- a/doc/manual.html
+++ b/doc/manual.html
@@ -981,6 +981,60 @@
       generator. You can safely delete this directory, but you need to
       restart the program to actually change the seed.
     </p>
+    <h1>Running a Resource Server</h1>
+    <p>
+      A Solid server is the server that manages your data. It needs to
+      check that the proofs of possession are correct, and the
+      possessed key is signed by the identity provider.
+    </p>
+    <h2>The authenticator</h2>
+    <p>
+      In <emph>(webid-oidc&#160;jws)</emph>, the following function
+      gives a simple API for a web server:
+    </p>
+    <info:deffn type="function"
+                name="make-authenticator"
+                arguments="jti-list [#server-uri] [#current-time] [#http-get]">
+      <p>
+        Create an authenticator, i.e. a function that takes a request
+        and request body and returns the webid of the authenticated
+        user, or <pre>#f</pre> if it is not authenticated.
+      </p>
+      <p>
+        To prevent replay attacks, each request is signed by the
+        client with a different unique padding value. If such a value
+        has already been seen, then the request must fail.
+      </p>
+      <p>
+        The authenticator expects the client to demonstrate the
+        possession of a key that the identity provider knows. So the
+        client creates a DPoP proof, targetted to a specific URI. In
+        order to check that the URI is correct, the authenticator
+        needs the public URI of the service.
+      </p>
+      <p>
+        The JTIs are checked within a small time frame. By default,
+        the system time will be used. Otherwise, you can customize the
+        <pre>current-time</pre> optional keyword argument, to pass a
+        thunk returning a time from <emph>(srfi srfi-19)</emph>.
+      </p>
+      <p>
+        You may want to customize the <info:var>http-get</info:var>
+        optional keyword argument to pass a function to replace
+        <pre>http-get</pre> from <emph>(http client)</emph>. This
+        function takes an URI and optional <pre>#:headers</pre>
+        arguments, makes the request, and return two values: the
+        response, and the response body.
+      </p>
+      <p>
+        This function, in
+        <emph>(webid-oidc&#160;resource-server)</emph>, returns a web
+        request handler, taking the request and request body, and
+        returning the subject of the access token. If an error
+        happens, it is thrown; the function always returns a valid
+        URI.
+      </p>
+    </info:deffn>
 
     <h1 type="appendix">GNU Free Documentation License</h1>
     <info:gfdl />