From ed64c545c4723dc0efdb1265b05d682e11e4c1f6 Mon Sep 17 00:00:00 2001 From: Vivien Kraus Date: Fri, 30 Jul 2021 11:58:08 +0200 Subject: Change the name! --- AUTHORS | 2 +- Makefile.am | 2 +- NEWS | 15 +- README | 6 +- bootstrap | 4 +- ci.scm | 8 +- configure.ac | 4 +- doc/Makefile.am | 6 +- doc/disfluid.texi | 1428 ++++++++++++++++++++++++++ doc/style.css | 2 +- doc/webid-oidc.texi | 1495 ---------------------------- get-release | 2 +- get-version | 2 +- guix/vkraus/packages/disfluid.scm | 207 ++++ guix/vkraus/packages/webid-oidc.scm | 205 ---- guix/vkraus/services/disfluid.scm | 520 ++++++++++ guix/vkraus/services/webid-oidc.scm | 520 ---------- hooks/update | 2 +- man/Makefile.am | 16 +- man/reset-env.in | 2 +- po/POTFILES.in | 2 +- po/disfluid.pot | 1813 ++++++++++++++++++++++++++++++++++ po/fr.po | 74 +- po/webid-oidc.pot | 1810 --------------------------------- pre-inst-env.in | 2 +- src/Makefile.am | 4 +- src/disfluid | 23 + src/disfluid-example-app | 23 + src/disfluid-hello | 23 + src/random/random.c | 4 +- src/scm/webid-oidc/cache.scm | 4 +- src/scm/webid-oidc/client.scm | 4 +- src/scm/webid-oidc/example-app.scm | 2 +- src/scm/webid-oidc/program.scm | 8 +- src/scm/webid-oidc/refresh-token.scm | 4 +- src/scm/webid-oidc/testing.scm | 2 +- src/webid-oidc | 23 - src/webid-oidc-example-app | 23 - src/webid-oidc-hello | 23 - tests/acl.scm | 2 +- tests/crud.scm | 4 +- tests/server-content.scm | 4 +- update-channel.scm | 18 +- 43 files changed, 4151 insertions(+), 4196 deletions(-) create mode 100644 doc/disfluid.texi delete mode 100644 doc/webid-oidc.texi create mode 100644 guix/vkraus/packages/disfluid.scm delete mode 100644 guix/vkraus/packages/webid-oidc.scm create mode 100644 guix/vkraus/services/disfluid.scm delete mode 100644 guix/vkraus/services/webid-oidc.scm create mode 100644 po/disfluid.pot delete mode 100644 po/webid-oidc.pot create mode 100755 src/disfluid create mode 100755 src/disfluid-example-app create mode 100755 src/disfluid-hello delete mode 100755 src/webid-oidc delete mode 100755 src/webid-oidc-example-app delete mode 100755 src/webid-oidc-hello diff --git a/AUTHORS b/AUTHORS index 15138c6..9e30659 100644 --- a/AUTHORS +++ b/AUTHORS @@ -1,4 +1,4 @@ -#+title: Webid-oidc authors +#+title: disfluid authors #+language: en #+author: Vivien Kraus #+email: vivien@planete-kraus.eu diff --git a/Makefile.am b/Makefile.am index 42e27ca..3b9caba 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,4 +1,4 @@ -# webid-oidc, implementation of the Solid specification +# disfluid, implementation of the Solid specification # Copyright (C) 2020, 2021 Vivien Kraus # This program is free software: you can redistribute it and/or modify diff --git a/NEWS b/NEWS index 9ac56cc..b30cd7a 100644 --- a/NEWS +++ b/NEWS @@ -1,12 +1,23 @@ -#+title: What's new in webidoidc? +#+title: What's new in disfluid? #+language: en #+author: Vivien Kraus #+email: vivien@planete-kraus.eu +* The project is renamed! +webid-oidc was a stupid name for 2 reasons: +- it did not say anything special about the project; +- nothing is called webid-oidc in the protocol anymore. + +Plus, the new name is a tail-recursive (almost) acronym for: + +Demanding Interoperability to Strengthen the Free (Libre) Web: +Introducing DISFLUID + +That makes it special: DISFLUID is not SOLID. + * Initial features ** The server has now a coherent set of features It is now possible to run a full Solid server. There are known shortcomings: -- json-ld is not supported; - LD-PATCH is not supported; - the websocket pubsub API is not supported (at this time, it’s not standardized either). diff --git a/README b/README index 79a416a..c3c9597 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -#+title: Webid-oidc +#+title: Demanding Interoperability to Strengthen the Free (Libre) Web: Introducing DISFLUID #+language: en #+author: Vivien Kraus #+email: vivien@planete-kraus.eu @@ -38,12 +38,12 @@ These are the run-time dependencies: To build, first run the =bootstrap= script, then =./configure=, =make=. You can run the program without installing it, by running -=./pre-inst-env guile src/webid-oidc=, or you can install it with +=./pre-inst-env guile src/disfluid=, or you can install it with =make install=. * Running -Once installed, you get a program named =webid-oidc=. Run it with =-h= +Once installed, you get a program named =disfluid=. Run it with =-h= to get the options. # Local Variables: diff --git a/bootstrap b/bootstrap index a25989d..ce85a33 100755 --- a/bootstrap +++ b/bootstrap @@ -1,6 +1,6 @@ #!/bin/sh -# webid-oidc, implementation of the Solid specification +# disfluid, implementation of the Solid specification # Copyright (C) 2020, 2021 Vivien Kraus # This program is free software: you can redistribute it and/or modify @@ -20,7 +20,7 @@ autoreconf -vif || exit 1 sed -i 's|SHELL = /bin/sh|SHELL = @SHELL@|g' po/Makefile.in.in || exit 1 ## Prepare the man pages -SCRIPTS_THAT_GET_EXECUTED="../src/webid-oidc ../src/webid-oidc-example-app" +SCRIPTS_THAT_GET_EXECUTED="../src/disfluid ../src/disfluid-example-app" mkdir -p .native || exit 1 cd .native || exit 1 diff --git a/ci.scm b/ci.scm index 46a32fe..3416e8e 100644 --- a/ci.scm +++ b/ci.scm @@ -1,4 +1,4 @@ -;; webid-oidc, implementation of the Solid specification +;; disfluid, implementation of the Solid specification ;; Copyright (C) 2020, 2021 Vivien Kraus ;; This program is free software: you can redistribute it and/or modify @@ -14,7 +14,7 @@ ;; You should have received a copy of the GNU Affero General Public License ;; along with this program. If not, see . -(use-modules (vkraus packages webid-oidc)) +(use-modules (vkraus packages disfluid)) (use-modules (gnu packages bash)) (use-modules (gnu packages base)) (use-modules (gnu packages tex)) @@ -71,14 +71,14 @@ (interned-file tmp-dirname "ci-checkout" #:recursive? #t)))) (delete-file-recursively tmp-dirname) interned)))) - (let ((dist-without-maintainer (dist-package webid-oidc-snapshot checked-out-index)) + (let ((dist-without-maintainer (dist-package disfluid-snapshot checked-out-index)) (version (car (string-split (call-with-input-file (string-append checked-out-index "/.tarball-version") get-string-all) #\newline)))) - (let ((tar-name (string-append "webid-oidc-" version ".tar.gz"))) + (let ((tar-name (string-append "disfluid-" version ".tar.gz"))) (computed-file tar-name #~(let ((source diff --git a/configure.ac b/configure.ac index d1a37aa..960196b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -dnl webid-oidc, implementation of the Solid specification +dnl disfluid, implementation of the Solid specification dnl Copyright (C) 2020, 2021 Vivien Kraus dnl This program is free software: you can redistribute it and/or modify @@ -14,7 +14,7 @@ dnl GNU Affero General Public License for more details. dnl You should have received a copy of the GNU Affero General Public License dnl along with this program. If not, see . -AC_INIT([webid-oidc], m4_esyscmd([bash ./get-version]), [vivien@planete-kraus.eu]) +AC_INIT([disfluid], m4_esyscmd([bash ./get-version]), [vivien@planete-kraus.eu]) AC_CONFIG_SRCDIR([src/libwebidoidc.c]) AM_INIT_AUTOMAKE([subdir-objects]) AM_SILENT_RULES([yes]) diff --git a/doc/Makefile.am b/doc/Makefile.am index 7cdbfd3..d300e77 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -1,4 +1,4 @@ -# webid-oidc, implementation of the Solid specification +# disfluid, implementation of the Solid specification # Copyright (C) 2020, 2021 Vivien Kraus # This program is free software: you can redistribute it and/or modify @@ -17,7 +17,7 @@ EXTRA_DIST += \ %reldir%/fdl.texi -info_TEXINFOS = %reldir%/webid-oidc.texi -%canon_reldir%_webid_oidc_texi_TEXINFOS = %reldir%/fdl.texi +info_TEXINFOS = %reldir%/disfluid.texi +%canon_reldir%_disfluid_texi_TEXINFOS = %reldir%/fdl.texi AM_MAKEINFOHTMLFLAGS = --css-include=doc/style.css diff --git a/doc/disfluid.texi b/doc/disfluid.texi new file mode 100644 index 0000000..bebc61b --- /dev/null +++ b/doc/disfluid.texi @@ -0,0 +1,1428 @@ +\input texinfo @c -*-texinfo-*- +@comment $Id@w{$} +@documentlanguage en +@comment %**start of header +@include version.texi +@settitle Demanding Interoperability to Strengthen the Free (Libre) Web: Introducing Disfluid +@syncodeindex pg cp +@syncodeindex fn cp +@syncodeindex vr cp +@syncodeindex tp cp +@comment %**end of header + +@copying +This is the manual of disfluid (version @value{VERSION}, @value{UPDATED}), an implementation of the Solid authentication protocol for guile, client and server. + +Copyright @copyright{} 2020, 2021 Vivien Kraus +@quotation +Permission is granted to copy, distribute and/or modify this document +under the terms of the GNU Free Documentation License, Version 1.3 or +any later version published by the Free Software Foundation; with no +Invariant Sections, with no Front-Cover Texts, and with no Back-Cover +Texts. A copy of the license is included in the section entitled ``GNU +Free Documentation License'' +@end quotation +@end copying + +@dircategory Software libraries + +@direntry +* disfluid: (disfluid)Interoperability on the web +@end direntry + +@titlepage +@title Demanding Interoperability to Strengthen the Free (Libre) Web: Introducing Disfluid +@subtitle for version @value{VERSION}, @value{UPDATED} +@author Vivien Kraus (@email{vivien@@planete-kraus.eu}) +@page +@vskip 0pt plus 1fill +@insertcopying +@end titlepage + +@contents +@ifnottex +@node Top +@top Disfluid +@end ifnottex + +@menu +* Decentralized Authentication on the Web:: +* Invoking disfluid:: +* The Json Web Token:: +* Caching on server side:: +* Content negociation:: +* Running an Identity Provider:: +* Running a Resource Server:: +* Running a client:: +* Exceptional conditions:: +* GNU Free Documentation License:: +* Index:: +@end menu + +@node Decentralized Authentication on the Web +@chapter Decentralized Authentication on the Web + +Authentication on the web is currently handled in the following way: +anyone can install a server that will authenticate users on the +web. The problem is interoperability. If a client (an application) +wants to authenticate a user, it has to be approved by the +authentication server. In other words, if @var{useful-program} wants +to authenticate @var{MegaCorp} users, then @var{useful-program} has to +register to @var{MegaCorp} first, and get approved. This goes against +the principle of permission-less innovation, which is at the heart of +the web. + +In the decentralized authentication web, the best attempt so far is +that of ActivityPub. All servers are interoperable with respect to +authentication: if user A emits an activity, it is forwarded by A's +server to its recipients, and A's server is responsible for A's +identity. + +The problem with that approach is that the data is tied to the +application. It is not possible to use another application to process +the data differently, or to use multiple data sources, in an +interoperable way (without the ActivityPub server knowing). This means +that on Activitypub, microblogging applications will not present +different activities correctly. This also means that it is difficult +to write a free replacement to a non-free application program, because +it would need to manage the data. + +In the Solid ecosystem, there is a clear distinction between servers +and applications. An application is free to read data from all places +at the same time, using a permission-less authentication system. Since +the applications do not need to store data, the cost of having users +is neglectible, so users do not need prior approval before using them +(making captchas and the like a thing of the past). Servers do not +have a say in which applications the user uses. + +The authentication used is a slight modification of the +well-established OpenID Connect. It is intended to work in a web +browser, but this package demonstrates that it also works without a +web browser. + +@node Invoking disfluid +@chapter Invoking disfluid + +The @samp{disfluid} program provides different modes of operations: + +@table @samp +@item reverse-proxy +Run an authenticating reverse proxy. With this command, you specify a +backend server. When an authenticated user makes a request, you +receive an additional header containing the user’s identity. +@item identity-provider +Run the identity provider only. +@item client-service +The client applications must serve some resources: namely, the client +manifest and the redirect URI. +@item server +Run both an identity provider and a resource server. +@end table + +The server is configured with command-line arguments, and environment +variables. + +@menu +* General options:: +* General server configuration:: +* Configuration for the resource server:: +* Configuration for the identity provider:: +* Configuration for the client service:: +@end menu + +@node General options +@section General options +The server will respond to @samp{-h} and @samp{-v} commands, to get +the help output and the version information. + +The server output (command-line, logs) are localized for the system +administrator. You can control it with the @samp{LANG} environment +variable. So if your locale is not English, you can have the same +commands as in this manual by running with @code{LANG=C}. + +The programs respect the @samp{XDG_DATA_HOME} and +@samp{XDG_CACHE_HOME} to store persistent data and disposable +data. The cache directory can be deleted at any time. If one of these +variables is not set, its value is computed from the @samp{HOME} +environment variable. + +@node General server configuration +@section General server configuration +All servers are published under the Affero GPL, which means that the +service provider needs to publish all changes made to the program to +users over the network. The @samp{disfluid} command provides a +@samp{--complete-corresponding-source} option so that the system +administrator can specify a means to download the source. + +The servers will add a @samp{Source:} header in each response, +containing the value of this configuration option. + +The servers can be configured to redirect output and errors to a log +file and an error file, with the @samp{--log-file} and +@samp{--error-file} options. + +The server will listen to port 8080 by default, but this may be +configured with @samp{--port}. Since the servers do not support TLS, +and they only support HTTP/1.1, they are intended to run behind a +reverse proxy (even for the authenticating reverse proxy). + +Finally, the servers are required to know their public name. This is +configured with the @samp{--server-name} option. + +The server will make requests on the world-wide web, for instance to +download client manifests. The requests can be redirected with XML +Catalog, by setting the @samp{XML_CATALOG_FILES} to a space-separated +list of URIs (can be @code{file:} URIs). The requests cannot be +directed to the file system. + +@node Configuration for the resource server +@section Configuration for the resource server +The reverse proxy sets an identity header to authenticated +requests. By default, it is @samp{XXX-Agent}, but it can be configured +with @samp{--header}. + +The reverse proxy is configured to contact a backend URI with +@samp{--backend-uri}. This backend URI should not be directly exposed, +because a malicious user could set the identity header. + +@node Configuration for the identity provider +@section Configuration for the identity provider +The identity provider can only handle one user. If you want to handle +multiple users, it is highly advised to use a different host name for +each user, in case the server is accessed from a web browser. You can +set the identity of the user with @samp{--subject}, and the user’s +password with @samp{--encrypted-password}. + +The encrypted password format is defined by the crypt function in the +C library. For glibc, it looks like this: +@code{$@var{N}$@var{salt}$@var{hash}}, where @var{N} is the algorithm +identifier, @var{salt} is the password salt annd @var{hash} is its +hash. + +The server uses a key, which is not the same thing as the TLS +certificate of the server (remember, the servers don’t support +TLS). It is in the JWK format. You set its file name with +@samp{--key-file}. If the key file does not exist, it will be +generated. + +Finally, the public openid configuration requires you to set the JWKS +URI (@samp{--jwks-uri}), authorization endpoint URI +(@samp{--authorization-endpoint-uri}) and token endpoint URI +(@samp{--token-endpoint-uri}). The identity provider will publish the +full URIs, but will respond to their path, regardless of the host. + +@node Configuration for the client service +@section Configuration for the client service +The client will serve a stupid page for the redirect URI that will +only display the authorization code. The redirect URI is set with +@samp{--redirect-uri}. + +The client ID is set with @samp{--client-id}. This is the URI under +which the client registrationn is served. + +Finally, you can set some cosmetic options, but since it can confuse +the user, they are hidden by default by the identity provider. + +@table @samp +@item --client-name +set the name of the application. +@item --client-uri +set an URI where to find more information about the client. +@end table + +@node The Json Web Token +@chapter The Json Web Token + +The Json Web Token, or @dfn{JWT}, is a terse representation of a pair +of JSON objects: the @dfn{header}, and the @dfn{payload}. The JWT can +be @dfn{encoded} as a Json Web Signature (@dfn{JWS}), in which case +the header is encoded to base64 with the URL alphabet, and without +padding characters, the payload is also encoded to base64, and the +concatenation of the encoding of the header, a dot, and the encoding +of the payload is signed with some cryptography algorithm. In the +following, we will only be interested by public-key cryptography. The +concatenation of header, dot, payload, dot and signature in base64 is +the encoding of the JWT. + +Decoded JWT are represented as a pair. The car of the pair is the +header, and the cdr is the payload. Both the header and the payload +use the JSON representation from srfi-180: objects are alists of +@strong{symbols} to values, arrays are vectors. It is unfortunate that +guile-json has a slightly different representation, where alist keys +are @emph{strings}, but we hope that in the future SRFI-180 will be +more closely respected. + +@menu +* The ID token:: +* The access token:: +* The DPoP proof:: +* Generic JWTs:: +@end menu + +@node The ID token +@section The ID token + +The ID token is a special JWT that the application keeps for +itself. It is signed by the identity provider, and contains the +following claims: + +@table @emph +@item webid +the URI of the user’s webid; +@item iss +the URI of the identity provider (issuer); +@item sub +the username (the webid-oidc issuer puts the webid again here, but it +could be any string); +@item aud +the ID of the client application that is intended to receive the ID +token; +@item nonce +some random data to change the signature; +@item exp +an UTC time (in seconds) for when the token expires; +@item iat +the time when it was issued. +@end table + +There are functions to work with ID tokens in +@emph{(webid-oidc oidc-id-token)}. + +@deffn function id-token? @var{object} +Check that @var{object} is a decoded ID token. +@end deffn + +The following helper functions convert URIs to the URIs from +@emph{(web uri)} and times to @emph{(srfi srfi-19)} dates. + +@deffn function id-token-webid @var{token} +@deffnx function id-token-iss @var{token} +@deffnx function id-token-sub @var{token} +@deffnx function id-token-aud @var{token} +@deffnx function id-token-nonce @var{token} +@deffnx function id-token-exp @var{token} +@deffnx function id-token-iat @var{token} +Get the suitable field from the payload of @var{token}. +@end deffn + +ID tokens can be signed and encoded as a string, or decoded. + +@deffn function id-token-decode @var{token} @var{[#http-get]} +Decode @var{token}, as a string, into a decoded token. The signature +verification will need to fetch the oidc configuration of the claimed +issuer, and check the signature against the published keys. The +@code{http-get} optional keyword argument can set a different +implementation of @code{http-get} from @emph{(web client)}. Return +@code{#f} if it failed, or the decoded token otherwise. +@end deffn + +@deffn function id-token-encode @var{token} @var{key} +Encode @var{token} and sign it with the issuer’s @var{key}. +@end deffn + +@deffn function issue-id-token @var{issuer-key} @var{#alg} @var{#webid} @var{#iss} @var{#sub} @var{#aud} @var{#exp} @var{#iat} +Create an ID token, and encode it with @var{issuer-key}. +@end deffn + +@node The access token +@section The access token + +The access token is obtained by the client through a token request, +and is presented to the server on each authenticated request. It is +signed by the identity provider, and it contains enough information so +that the server knows who the user is and who the agent is, and most +importantly the fingerprint of the key that the client should use in a +DPoP proof. + +The API is defined in @emph{(webid-oidc access-token)}. + +@deffn function access-token? @var{object} +Check that @var{object} is a decoded access token. +@end deffn + +There are field getters for the access token: + +@deffn function access-token-webid @var{token} +@deffnx function access-token-iss @var{token} +@deffnx function access-token-aud @var{token} +@deffnx function access-token-exp @var{token} +@deffnx function access-token-iat @var{token} +@deffnx function access-token-cnf/jkt @var{token} +@deffnx function access-token-client-id @var{token} +Get the suitable field from the payload of @var{token}. +@end deffn + +Access tokens can be signed and encoded as a string, or decoded. + +@deffn function access-token-decode @var{token} @var{[#http-get]} +Decode @var{token}, as a string, into a decoded token. As with the ID +token, the signature verification will need to fetch the oidc +configuration of the claimed issuer, and check the signature against +the published keys. The @code{http-get} optional keyword argument can +set a different implementation of @code{http-get} from +@emph{(web client)}, for instance to re-use the what has been obtained +by the ID token validation. Return @code{#f} if it failed, or the +decoded token otherwise. +@end deffn + +@deffn function access-token-encode @var{token} @var{key} +Encode @var{token} and sign it with the issuer’s @var{key}. +@end deffn + +@deffn function issue-access-token @var{issuer-key} @var{#alg} @var{#webid} @var{#iss} @var{#exp} @var{#iat} @var{[#client-key} @var{|} @var{#cnf/jkt]} @var{#client-id} +Create an access token, and encode it with @var{issuer-key}. You can +either set the @code{#:cnf/jkt} keyword argument with the fingerprint +of the client key, or set @code{#:client-key} directly, in which case +the fingerprint will be computed for you. +@end deffn + +@node The DPoP proof +@section The DPoP proof + +This is a special JWT, that is signed by a key controlled by the +application. The access token certifies that the key used to sign the +proof is approved by the identity provider. + +@deffn function dpop-proof? @var{proof} +Check that the @var{proof} is a decoded DPoP proof. The validity of +the proof is not checked by this function. +@end deffn + +@deffn function dpop-proof-alg @var{proof} +@deffnx function dpop-proof-jwk @var{proof} +@deffnx function dpop-proof-jti @var{proof} +@deffnx function dpop-proof-htm @var{proof} +@deffnx function dpop-proof-htu @var{proof} +@deffnx function dpop-proof-iat @var{proof} +@deffnx function dpop-proof-ath @var{proof} +Get the corresponding field of the proof. +@end deffn + +@deffn function dpop-proof-decode @var{current-time} @var{jti-list} @var{method} @var{uri} @var{str} @var{cnf/check} @var{[#:access-token]} +Check and decode a DPoP proof encoded as @var{str}. + +The @var{current-time} is passed as a date, time or number (of +seconds). + +In order to prevent replay attacks, each proof has a unique random +string that is remembered in @var{jti-list} until its expiration date +is reached. See the @code{make-jti-list} function. + +The proof is limited to the scope of one @var{uri} and one +@var{method} (@code{'GET}, @code{'POST} and so on). + +The key that is used to sign the proof should be confirmed by the +identity provider. To this end, the @var{cnf/check} function is called +with the fingerprint of the key. The function should check that the +fingerprint is OK (return a boolean). + +Finally, when the DPoP proof is tied to an access token (so, for all +uses except requesting an access token or a refresh token), it must be +bound to an @var{access-token}. +@end deffn + +@deffn function make-jti-list +This function in @emph{(webid-oidc jti-list)} creates an in-memory, +async-safe, thread-safe cache for the proof IDs. +@end deffn + +@deffn function dpop-proof-encode @var{proof} @var{key} +Encode the proof and sign it with @var{key}. To generate valid proofs, +@var{key} should be the private key corresponding to the @code{jwk} +field of the proof. +@end deffn + +@deffn function issue-dpop-proof @var{client-key} @var{#alg} @var{#htm} @var{#htu} @var{#iat} {[#:@var{access-token}=#f]} +Create a proof, sign it and encode it with +@var{client-key}. @var{client-key} should contain both the private and +public key, because the public part is written in the proof and the +private part is used to sign it. For most uses, the DPoP proof should +be encoded for a specific access token. Only token requests should +omit the @samp{access-token} field. +@end deffn + +@node Generic JWTs +@section Generic JWTs + +You can parse generic JWTs signed with JWS with the following +functions from @emph{(webid-oidc jws)}. + +@deffn function jws? @var{jwt} +Check that @var{jwt} is a decoded JWT signed with JWS. +@end deffn + +@deffn function jws-alg @var{jwt} +Get the algorithm used to sign @var{jwt}. +@end deffn + +@deffn function jws-decode @var{str} @var{lookup-keys} +Check and decode a JWT signed with JWS and encoded as @var{str}. + +Since the decoding and signature verification happen at the same time +(for user friendliness), the @var{lookup-keys} function is used. It is +passed as arguments the decoded JWT (but the signature is not checked +yet), and it should return a public key, a public key set or a list of +public keys. If the key lookup failed, this function should raise an +exception. +@end deffn + +@deffn function jws-encode @var{jwt} @var{key} +Encode the JWT and sign it with @var{key}. +@end deffn + +@node Caching on server side +@chapter Caching on server side + +Both the identity provider and the resource server need to cache +things. The identity provider will cache application webids, and the +resource server will cache the identity provider keys, for instance. + +The solution is to use a file-system cache. Every response (except +those that have a cache-control policy of no-store) are stored to a +sub-directory of @emph{XDG_CACHE_HOME}. Each store has a 5% chance of +triggering a cleanup of the cache. When a cleanup occurs, each cached +response has a 5% chance of being dropped, including responses that +are indicated as valid. This way, a malicious cache response that has +a maliciously long validity will not stay too long in the cache. A log +line will indicate which items are dropped. + +The @emph{(webid-oidc cache)} module exports two functions to deal +with the cache. + +@deffn function clean-cache @var{[#percents]} @var{[#dir]} +Drop @var{percents}% of the cache right now, in @var{dir} (defaults to +some place within @emph{XDG_CACHE_HOME}). +@end deffn + +@deffn function with-cache @var{[#current-time]} @var{[#http-get]} @var{[#dir]} +Return a function acting as @emph{http-get} from @emph{(web client)} +(takes an URI as the first parameter, and an optional @var{#:headers} +set, and returns 2 values, the response and its body). + +The cache will be read and written in @var{dir} (defaults to some +place within @emph{XDG_CACHE_HOME}), and the @var{current-time} number +of seconds, SRFI-19 time or date, or time-returning thunk will be used +to check for the validity of responses. + +The back-end function, @var{http-get}, defaults to that of +@emph{(web client)}. +@end deffn + +@node Content negociation +@chapter Content negociation +There are a number of different available syntaxes for RDF, some being +simple and human readable like @emph{turtle}, and others more adapted +to the JavaScript ecosystem like @emph{json-ld}. To help clients both +from and outside of the JS ecosystem, the server needs to perform +@dfn{content negociation}, i.e. convert from one content-type to +another. + +@deffn {function from @code{(webid-oidc serve)}} convert @var{client-accepts} @var{server-name} @var{path} @var{content-type} @var{content} +Convert the resource representation under @var{path} on +@var{server-name}, which has a given @var{content-type} and +@var{content}, to a content-type that the @var{client accepts}. + +Return 2 values: +@enumerate +@item +the accepted content-type; +@item +the content in the given content-type. +@end enumerate + +Currently, the only conversions are from and to @emph{Turtle} and +@emph{N-Quads}. +@end deffn + +@node Running an Identity Provider +@chapter Running an Identity Provider + +This project is packaged with a barebones identity provider. It has an +authorization endpoint and a token endpoint (and it serves its public +keys), but it is only intended for one specific person. + +You can start it by invoking the @code{webid-oidc} program with the +@code{issuer} command, with the following options: + +@table @asis +@item @code{-h}, or @code{--help} +prints a summary of options and exit. +@item @code{-v}, or @code{--version} +prints the version of the program and exits. +@item @code{-n @var{URI}}, or @code{--server-name=@var{URI}} +sets the global server name of the identity provider. It should have +an empty path. +@item @code{-k @var{FILE.jwk}}, or @code{--key-file=@var{FILE.jwk}} +sets the file name where to read or generate a key for the identity +provider. This file should be JSON, containing the representation of a +JWK key pair. +@item @code{-s @var{WEBID}}, or @code{--subject=@var{WEBID}} +sets the webid of the only user of the identity provider. This is an +URI, pointing to a RDF node corresponding to the user’s profile. +@item @code{-w @var{PASSWORD}}, or @code{--password=@var{PASSWORD}} +sets the password that the user must enter to authorize an +application. +@item @code{-j @var{URI}}, or @code{--jwks-uri=@var{URI}} +tells the server that requests to @var{URI} should be responded with +the public key used to sign the tokens. +@item @code{-a @var{URI}}, or @code{--authorization-endpoint-uri=@var{URI}} +tells the server that requests to @var{URI} should be treated as +authorization requests. +@item @code{-t @var{URI}}, or @code{--token-endpoint-uri=@var{URI}} +tells the server that requests to @var{URI} should be treated as token +negociation requests. +@item @code{-p @var{PORT}}, or @code{--port=@var{PORT}} +change the port number used by the server. By default, it is set to +8080. +@item @code{-l @var{FILE.log}}, or @code{--log-file=@var{FILE.log}} +let the server dump all its output to @var{FILE.log}. Since I don’t +know how to deal with syslog, this is the only way to keep logs with a +shepherd service. +@item @code{-e @var{FILE.err}}, or @code{--error-file=@var{FILE.err}} +let the server dump all its errors to @var{FILE.err}. +@end table + +The program is sensitive to the environment variables. The most +important one is @emph{LANG}, which influences how the program is +internationalized to the server administrator (the pages served to the +user use the user agent’s locale). This changes the long form of the +options, and the language in the log files. + +The @emph{XDG_DATA_HOME} should point to some place where the program +will store refresh tokens, under the @code{webid-oidc} directory. For +a system service, you might want to define that environment to +@code{/var/lib}, for instance. + +The @emph{XDG_CACHE_HOME} should point to a directory where to store +the seed of the random number generator (under a @code{webid-oidc} +directory, again). Changing the seed only happens when a program +starts to require the random number generator. You can safely delete +this directory, but you need to restart the program to actually change +the seed. + +@node Running a Resource Server +@chapter Running a Resource Server + +@menu +* The authenticator:: +* The full server:: +* Resources stored on the server:: +@end menu + +A Solid server is the server that manages your data. It needs to check +that the proofs of possession are correct, and the possessed key is +signed by the identity provider. + +@node The authenticator +@section The authenticator + +In @emph{(webid-oidc resource-server)}, the following function gives a +simple API for a web server: + +@deffn function make-authenticator @var{jti-list} @var{[#server-uri]} @var{[#current-time]} @var{[#http-get]} +Create an authenticator, i.e. a function that takes a request and +request body and returns the webid of the authenticated user, or +@code{#f} if it is not authenticated. + +To prevent replay attacks, each request is signed by the client with a +different unique padding value. If such a value has already been seen, +then the request must fail. + +The authenticator expects the client to demonstrate the possession of +a key that the identity provider knows. So the client creates a DPoP +proof, targetted to a specific URI. In order to check that the URI is +correct, the authenticator needs the public URI of the service. + +The JTIs are checked within a small time frame. By default, the system +time will be used. Otherwise, you can customize the +@code{current-time} optional keyword argument, to pass a thunk +returning a time from @emph{(srfi srfi-19)}. + +You may want to customize the @var{http-get} optional keyword argument +to pass a function to replace @code{http-get} from @emph{(http +client)}. This function takes an URI and optional @code{#:headers} +arguments, makes the request, and return two values: the response, and +the response body. + +This function, in @emph{(webid-oidc resource-server)}, returns a web +request handler, taking the request and request body, and returning +the subject of the access token. If an error happens, it is thrown; +the function always returns a valid URI. +@end deffn + +@node The full server +@section The full server + +@deffn {function from @emph{(webid-oidc resource-server)}} make-server @var{[#:server-uri]} @var{[#:owner]} @var{[#:authenticator]} @var{[#:current-time]} @var{[#:http-get]} +Return a server handler, a function taking 2 values, a request and a +request body, and returning 2 values, the response and response body. + +The optional @var{[#:authenticator]} argument defaults to the +webid-oidc authenticator, @var{[#:current-time]} defaults to a thunk +returning the system time and @var{[#:http-get]} to the web client +from @emph{(web client)}. +@end deffn + +@node Resources stored on the server +@section Resources stored on the server + +To store and serve resources, the server has two distinct +mechanisms. A @dfn{content} is a read-only possible value for a +resource, indexed by etags, and a @dfn{path} is a mutable value that +indicates the etag of the resource, and of the auxiliary resources +(description and ACL). With this separation, it is possible to +atomically delete a resource and all associated auxiliary resources, +by unlinking the corresponding @emph{path}. It is also possible to +mutate separately the ACL and the resource itself without writing a +copy for both. + +The @emph{content} API is contained in the +@code{(webid-oidc server resource content)} module. + +@deffn function with-session @var{f} [@var{#:dir}] +Call @var{f} with 5 arguments: +@itemize +@item +a function to get the content-type of a given etag; +@item +a function to list the paths contained within the resource; +@item +a function to load the content of a given etag; +@item +a function to create a new content; +@item +a function to remove a content from the file system. It is still +possible to query it with the first 3 functions, but new sessions will +not see it. +@end itemize + +Since the contents are read-only, it is possible to cache the value of +the content in memory. This is why @var{f} should run within a session +with memoization. + +Resources only store @emph{static} content, because the membership +triples for containers is considered dynamic and not included in the +representation. + +The first 3 functions as well as the last one are called with an etag, +and the function to create a content is called with the content-type, +list of contained paths, and (static) content. + +By default, the contents are stored within @var{XDG_DATA_HOME}, but it +can be overriden by @var{#:dir}. +@end deffn + +The @emph{path} API is defined in +@code{(webid-oidc server resource path)}. + +@deffn function read-path @var{path} +Read the resource at @var{path}, and return 2 values: +@enumerate +@item +the ETag of the main resource; +@item +an alist where keys are auxiliary resource type URIs (the type is from +@code{(web uri)}), and the values are ETags of the corresponding +resource. +@end enumerate + +If the resource is not found, raise an exception with type +@code{&path-not-found}, and maybe @code{&uri-slash-semantics-error} if +a resource with a different ending-in-slash exists. + +This function is safe to call when the path is being modified, either +by another thread, process or else, as the returned values will always +be consistent. However, once the function returns, an updating process +may have deleted the returned ETags. If this is the case, then you +must call this function again to read the updated path. +@end deffn + +@deffn function update-path @var{path} @var{f} @var{content-type} @var{contained} @var{static-content} @var{create} @var{delete} [@var{#:create-intermediate-containers?}=@code{#f}] +Read @var{path}, call @var{f} with two values: the ETag and the +auxiliary ETags (as returned by @var{read-path}), and update the path +accordingly. If @var{path} does not exist, then the first argument is +@code{#f} and the second one is the empty list. + +If @var{f} returns @code{#f}, then the resource is deleted. + +If @var{f} returns an ETag as the first returned value and an alist of +auxiliary resource ETags as the second value, then the resource is +updated. + +The last functions are from the content API. Since creating or +deleting children requires updating the parent, we need them. + +Some operations should create the intermediate containers for a given +path, this is the case for the @code{PUT} HTTP verb. For @code{POST}, +the parent should exist. The @var{#:create-intermediate-containers?} +switch lets you change the behavior. In any case, it is an error to +delete a non-empty container. + +The update is atomic, meaning that at any point in time the file is +fully written out. Concurrent access to the same resource is performed +by locking the lock file named @var{X}/.lock, where @var{X} is the +first character of the base64-url sha-256 hash of the +path. @strong{The lock file is not meant to be removed} when the +resource is unlocked. It should be locked with @code{flock} +instead. @strong{Like other forms of lock-based synchronization, this +function is not composable}. This means that you cannot call this +function within @var{f}, otherwise a deadlock may ensue. + +If the resource is created or deleted, then the parent resource is +updated as well. To avoid deadlocks with other processes, please +follow the following rules: lock the path, then lock the parent path, +then update the parent, then unlock the parent, and finally unlock the +child path. +@end deffn + +The Web Access Control specification defines an RDF vocabulary to +check whether a given user is allowed to perform some operations. The +@code{(webid-oidc server resource wac)} helps you do that. + +@deffn function wac-get-modes @var{server-name} @var{path} @var{user} @var{[#:http-get]} +Return the list of modes that are allowed for @var{user} accessing +@var{path}. The @var{server-name} URI is required to find the relevant +triples in the ACL. If @var{user} is unauthenticated, pass @code{#f}. + +Please note that in any case, the data owner should have all rights +whatsoever, bypassing WAC. Otherwise, it is possible to steal control +away from the data owner. +@end deffn + +@deffn function check-acl-can-read @var{server-name} @var{path} @var{owner} @var{user} @var{[#:http-get]} +@deffnx function check-acl-can-write @var{server-name} @var{path} @var{owner} @var{user} @var{[#:http-get]} +@deffnx function check-acl-can-append @var{server-name} @var{path} @var{owner} @var{user} @var{[#:http-get]} +@deffnx function check-acl-can-control @var{server-name} @var{path} @var{owner} @var{user} @var{[#:http-get]} +Assert that the resource at @var{path} on @var{server-name} is owned +by @var{owner}, and check that @var{user} has the proper +authorization. Otherwise, raise an exception of type +@code{&forbidden}. +@end deffn + +@node Running a client +@chapter Running a client + +To run a client, you need to proceed in two steps. First, acquire an +OIDC ID token and an access token from the identity provider, and then +present the access token and a proof of possession of the linked key +in each request, in a DPoP HTTP header. + +The first operation is performed by the @emph{(webid-oidc client)} +module. + +@deffn function authorize @var{host/webid} @var{#client-id} @var{#redirect-uri} @var{[#state]} @var{[#http-get]} +The user enters a valid webid or a host name, and then this function +will query it (with the @var{http-get} parameter, by default the web +client from @emph{(web client)}) to determine the authorization +endpoint. The function will return an alist of authorization URIs, +indexed by approved identity provider URIs, that the user should +browse with a traditional web browser. + +Each application should have its own webid, or in that case +@var{client-id}, that can be dereferenced by the identity provider. + +Once the user has given authorization, the user’s agent will be +redirected to @var{redirect-uri}, with the authorization code as a GET +parameter. It is possible to pass a @var{state}, but this is optional. +@end deffn + +Once the client gets the authorization code, it is necessary to create +an access token and ID token. + +@deffn function token @var{host} @var{client-key} @var{[#authorization-code]} @var{[#refresh-token]} @var{[#http-get]} @var{[#http-post]} @var{[#current-time]} +Trade an @var{authorization-code}, or a @var{refresh-token}, for an ID +token and an access token bound to the @var{client-key} issued by +@var{host}, the identity provider. + +You can override the HTTP client used (@var{http-get} and +@var{http-post}), and how to compute the time (@var{current-time}). +@end deffn + +In an application, you would have a list of profiles in XDG_DATA_HOME, +consisting of triples (webid, issuer, refresh token). + +@deffn function list-profiles @var{[#dir]} +Read the list of available profiles. Returns a list of triples, webid, +issuer, reresh token. + +By default, this function will look for the profiles file in +@var{XDG_DATA_HOME}. You can bypass it by providing the @var{#dir} +optional keyword argument. +@end deffn + +@deffn function setup @var{get-host/webid} @var{choose-provider} @var{browse-authorization-uri} @var{#client-id} @var{#redirect-uri} @var{[#dir]} @var{[#http-get]} @var{[#http-post]} @var{[#current-time]} +Negociate a refresh token, and save it. The function returns 3 values: +the decoded ID token pyload, the encoded access token and the key +pair. + +The @var{get-host/webid} thunk should ask the user’s webid or identity +provider, and return it. @var{choose-provider} is called with a list +of possible identity providers as host names (strings), and the user +should choose one. The chosen one is returned. Finally, +@var{browse-authorization-uri} should ask or let the user browse an +URI as its argument, and return the authorization code taken from the +redirect URI. + +The refresh token is saved to disk, as a profile, in +XDG_DATA_HOME. Pass the optional @var{#dir} keyword argument to +override the location. + +You need to set @var{client-id} to the public webid of the app, and +@var{redirect-uri} to one of the approved redirection URIs for the +application ID. +@end deffn + +@deffn function login @var{webid} @var{issuer} @var{refresh-token} @var{key} @var{[#dir]} @var{[#http-get]} @var{[#http-post]} @var{[#current-time]} +If you have already a known profile, you can use it to automatically +log in. This function might update the refresh token if it changed, so +you can again set @var{#dir}. Please note that the @var{refresh-token} +is bound to the client @var{key} on server side, so you must always +use the same @var{key}. +@end deffn + +@deffn function refresh @var{id-token} @var{key} @var{[#dir]} @var{[#http-get]} @var{[#http-post]} @var{[#current-time]} +If you have an ID token bound to a known profile, this helper function +will look up the associated refresh token and log in. +@end deffn + +@deffn function make-client @var{id-token} @var{access-token} @var{key} @var{[#dir]} @var{[#http-get]} @var{[#http-post]} @var{[#http-request]} @var{[#current-time]} +Return a replacement of @code{http-request} from @emph{(web client)}, +that automatically signs requests and refresh the tokens when needed. + +@var{#http-get} and @var{#http-post} are only used to refresh the +tokens, while @var{#http-request} is used as a back-end for the +requests. + +@var{#current-time} is set to a thunk that returns the time. It is +used to issue DPoP proofs. +@end deffn + +An example application is provided as the +@code{disfluid-example-app} program. It demonstrates how +authentication is done. It should help you understand how Solid-OIDC +works. + +The identity provider needs to call the application on the web. So, +your client should have a public endpoint on the web. + +@deffn function serve-application @var{id} @var{redirect-uri} @var{[#client-name]} @var{[#client-uri]} +Return a handler for web requests to serve the application manifest +and the redirection to transmit the authorization code. You should set +the @var{client-name} to your application name and @var{client-uri} to +point to where to a presentation of your application. +@end deffn + +@node Exceptional conditions +@chapter Exceptional conditions + +The library will raise an exception whenever something fishy +occurs. For instance, if a signature is invalid, or the expiration +date has passed. All exception types are defined in +@code{(webid-oidc errors)}. + +@deffn function error->str @var{error} @var{[#depth]} +Return a string explaining the @var{error}. You can limit the +@var{depth} of the explanation as an integer. +@end deffn + +@menu +* Invalid data format:: +* Invalid JWT:: +* Cannot fetch data on the web:: +* Other errors in the protocol or from a reasonable implementation:: +* Server-side errors:: +@end menu + +@node Invalid data format +@section Invalid data format +There are a few JSON objects with required fields. This exceptions +usually occur as the cause of a higher-level exception. + +@deftp {exception type} ¬-base64 @var{value} @var{cause} +This exception is raised when the base64 decoding function +failed. @var{value} is the incorrect input, and @var{cause} is a +low-level error. +@end deftp + +@deftp {exception type} ¬-json @var{value} @var{cause} +Cannot decode @var{value} to a JSON object. +@end deftp + +@deftp {exception type} ¬-turtle @var{value} @var{cause} +Cannot decode @var{value} to a RDF graph. +@end deftp + +@deftp {exception type} &incorrect-webid-field @var{value} +The @var{value} of the webid field in the JWT is missing (if +@code{#f}), or not an acceptable value. +@end deftp + +@deftp {exception type} &incorrect-iss-field @var{value} +The @var{value} of the iss field is incorrect. +@end deftp + +@deftp {exception type} &incorrect-aud-field @var{value} +The @var{value} of the aud field is incorrect. +@end deftp + +@deftp {exception type} &incorrect-iat-field @var{value} +The @var{value} of the iat field is incorrect. +@end deftp + +@deftp {exception type} &incorrect-exp-field @var{value} +The @var{value} of the exp field is incorrect. +@end deftp + +@deftp {exception type} &incorrect-cnf/jkt-field @var{value} +The @var{value} of the cnf/jkt field is incorrect. +@end deftp + +@deftp {exception type} &incorrect-client-id-field @var{value} +The @var{value} of the client-id field is incorrect. +@end deftp + +@deftp {exception type} &incorrect-typ-field @var{value} +The @var{value} of the typ field in the DPoP proof header is +incorrect. +@end deftp + +@deftp {exception type} &incorrect-jwk-field @var{value} @var{cause} +The @var{value} of the jwk field in the DPoP proof header is +incorrect. +@end deftp + +@deftp {exception type} &incorrect-jti-field @var{value} +The @var{value} of the jti field in the DPoP proof is incorrect. +@end deftp + +@deftp {exception type} &incorrect-htm-field @var{value} +The @var{value} of the htm field in the DPoP proof is incorrect. +@end deftp + +@deftp {exception type} &incorrect-htu-field @var{value} +The @var{value} of the htu field in the DPoP proof is incorrect. +@end deftp + +@deftp {exception type} &incorrect-ath-field @var{value} +The @var{value} of the ath field is not the hash of the access token. +@end deftp + +@deftp {exception type} &incorrect-redirect-uris-field @var{value} +The @var{value} of the redirect-uris field of a client manifest is +incorrect. +@end deftp + +@deftp {exception type} &incorrect-typ-field @var{value} +The @var{value} of the typ field in the DPoP proof header is +incorrect. +@end deftp + +@deftp {exception type} &incorrect-sub-field @var{value} +The @var{value} of the sub field is incorrect. +@end deftp + +@deftp {exception type} &incorrect-iss-field @var{value} +The @var{value} of the iss field is incorrect. +@end deftp + +@deftp {exception type} &incorrect-nonce-field @var{value} +The @var{value} of the nonce field in the DPoP proof is incorrect. +@end deftp + +@deftp {exception type} &incorrect-htm-field @var{value} +The @var{value} of the htm field in the DPoP proof is incorrect. +@end deftp + +@deftp {exception type} ¬-a-client-manifest @var{value} @var{cause} +The @var{client-manifest} is incorrect. +@end deftp + +@node Invalid JWT +@section Invalid JWT +Each JWT type – access token, DPoP proof, ID token, authorization code +(this is internal to the identity provider) has different validation +rules, and can fail in different ways. + +@deftp {exception type} &unsupported-crv @var{crv} +The identifier @var{crv} does not identify an elliptic curve. +@end deftp + +@deftp {exception type} ¬-a-jwk @var{value} @var{cause} +@var{value} does not identify a JWK. +@end deftp + +@deftp {exception type} ¬-a-public-jwk @var{value} @var{cause} +@var{value} does not identify a public JWK. +@end deftp + +@deftp {exception type} ¬-a-private-jwk @var{value} @var{cause} +@var{value} does not identify a private JWK. +@end deftp + +@deftp {exception type} ¬-a-jwks @var{value} @var{cause} +@var{value} does not identify a set of public keys. +@end deftp + +@deftp {exception type} &unsupported-alg @var{value} +@var{value} does not identify a valid hash algorithm. +@end deftp + +@deftp {exception type} &invalid-signature @var{key} @var{payload} @var{signature} +@var{key} has not signed @var{payload} with @var{signature}. +@end deftp + +@deftp {exception type} &missing-alist-key @var{value} @var{key} +@var{value} isn’t an alist, or is missing a value with @var{key}. +@end deftp + +@deftp {exception type} ¬-a-jws-header @var{value} @var{cause} +@var{value} does not identify a decoded JWS header. +@end deftp + +@deftp {exception type} ¬-a-jws-payload @var{value} @var{cause} +@var{value} does not identify a decoded JWS payload. +@end deftp + +@deftp {exception type} ¬-a-jws @var{value} @var{cause} +@var{value} does not identify a decoded JWS. +@end deftp + +@deftp {exception type} ¬-in-3-parts @var{string} @var{separator} +@var{string} cannot be split into 3 parts with @var{separator}. +@end deftp + +@deftp {exception type} &no-matching-key @var{candidates} @var{alg} @var{payload} @var{signature} +No key among @var{candidates} could verify @var{signature} signed with +@var{alg} for @var{payload}, because the signature mismatched for all +keys. +@end deftp + +@deftp {exception type} &cannot-decode-jws @var{value} @var{cause} +The @var{value} string is not an encoding of a valid JWS. +@end deftp + +@deftp {exception type} &cannot-encode-jws @var{jws} @var{key} @var{cause} +The @var{jws} cannot be signed. +@end deftp + +@deftp {exception type} ¬-an-access-token @var{value} @var{cause} +The @var{value} is not an access token. +@end deftp + +@deftp {exception type} ¬-an-access-token-header @var{value} @var{cause} +The @var{value} is not an access token header. +@end deftp + +@deftp {exception type} ¬-an-access-token-payload @var{value} @var{cause} +The @var{value} is not an access token payload. +@end deftp + +@deftp {exception type} &cannot-decode-access-token @var{value} @var{cause} +The @var{value} string is not an encoding of a valid access token. +@end deftp + +@deftp {exception type} &cannot-encode-access-token @var{access-token} @var{key} @var{cause} +The @var{access-token} cannot be signed. +@end deftp + +@deftp {exception type} ¬-a-dpop-proof @var{value} @var{cause} +The @var{value} is not a DPoP proof. +@end deftp + +@deftp {exception type} ¬-a-dpop-proof-header @var{value} @var{cause} +The @var{value} is not a DPoP proof header. +@end deftp + +@deftp {exception type} ¬-a-dpop-proof-payload @var{value} @var{cause} +The @var{value} is not a DPoP proof payload. +@end deftp + +@deftp {exception type} &cannot-decode-dpop-proof @var{value} @var{cause} +The @var{value} string is not an encoding of a valid DPoP proof. +@end deftp + +@deftp {exception type} &cannot-encode-dpop-proof @var{dpop-proof} @var{key} @var{cause} +The @var{dpop-proof} cannot be signed. +@end deftp + +@deftp {exception type} ¬-an-authorization-code @var{value} @var{cause} +The @var{value} is not an authorization code. +@end deftp + +@deftp {exception type} ¬-an-authorization-code-header @var{value} @var{cause} +The @var{value} is not an authorization code header. +@end deftp + +@deftp {exception type} ¬-an-authorization-code-payload @var{value} @var{cause} +The @var{value} is not an authorization code payload. +@end deftp + +@deftp {exception type} &cannot-decode-authorization-code @var{value} @var{cause} +The @var{value} string is not an encoding of a valid authorization +code. +@end deftp + +@deftp {exception type} &cannot-encode-authorization-code @var{authorization-code} @var{key} @var{cause} +The @var{authorization-code} cannot be signed. +@end deftp + +@deftp {exception type} ¬-an-id-token @var{value} @var{cause} +The @var{value} is not an ID token. +@end deftp + +@deftp {exception type} ¬-an-id-token-header @var{value} @var{cause} +The @var{value} is not an ID token header. +@end deftp + +@deftp {exception type} ¬-an-id-token-payload @var{value} @var{cause} +The @var{value} is not an ID token payload. +@end deftp + +@deftp {exception type} &cannot-decode-id-token @var{value} @var{cause} +The @var{value} string is not an encoding of a valid ID token. +@end deftp + +@deftp {exception type} &cannot-encode-id-token @var{id-token} @var{key} @var{cause} +The @var{id-token} cannot be signed. +@end deftp + +@node Cannot fetch data on the web +@section Cannot fetch data on the web +In the client (local and public parts), resource server and identity +provider, the protocol requires to fetch data on the web. + +@deftp {exception type} &request-failed-unexpectedly @var{response-code} @var{response-reason-phrase} +We expected the request to succeed, but the server sent a non-OK +@var{response-code}. +@end deftp + +@deftp {exception type} &unexpected-header-value @var{header} @var{value} +We did not expect the server to respond with @var{header} set to +@var{value}. +@end deftp + +@deftp {exception type} &unexpected-response @var{response} @var{cause} +The @var{response} (from @emph{(web response)}) is not appropriate. +@end deftp + +@deftp {exception type} ¬-an-oidc-configuration @var{value} @var{cause} +The @var{value} is not appropriate an OIDC configuration. +@end deftp + +@deftp {exception type} &cannot-fetch-issuer-configuration @var{issuer} @var{cause} +It is impossible to fetch the configuration of @var{issuer}. +@end deftp + +@deftp {exception type} &cannot-fetch-jwks @var{issuer} @var{uri} @var{cause} +It is impossible to fetch the keys of @var{issuer} at @var{uri}. +@end deftp + +@deftp {exception type} &cannot-fetch-linked-data @var{uri} @var{cause} +Could not fetch the graph referenced by @var{uri}. +@end deftp + +@deftp {exception type} &cannot-fetch-client-manifest @var{id} @var{cause} +Could not fetch a client manifest at @var{id}. +@end deftp + +@node Other errors in the protocol or from a reasonable implementation +@section Other errors in the protocol or from a reasonable implementation +The protocol does not rely solely on JWT validation, so these errors +may happen too. + +@deftp {exception type} &dpop-method-mismatch @var{signed} @var{requested} +The method value @var{signed} in the DPoP proof does not match the +method that is @var{requested} on the server. +@end deftp + +@deftp {exception type} &dpop-uri-mismatch @var{signed} @var{requested} +The URI value @var{signed} in the DPoP proof does not match the URI +that is @var{requested} on the server. +@end deftp + +@deftp {exception type} &dpop-signed-in-future @var{signed} @var{current} +The proof is @var{signed} for a date which is too much ahead of the +@var{current} time. +@end deftp + +@deftp {exception type} &dpop-too-old @var{signed} @var{current} +The proof was @var{signed} at a past date of @var{current}. +@end deftp + +@deftp {exception type} &dpop-unconfirmed-key @var{key} @var{expected} @var{cause} +The confirmation of @var{key} is not what is @var{expected}, or (if a +function was passed as @var{cnf/check}) the @var{cause} exception +occurred while confirming. +@end deftp + +@deftp {exception type} &dpop-invalid-access-token-hash @var{hash} @var{access-token} +The @var{access-token} passed to the resource server does not match +the @var{hash} provided in the DPoP proof. +@end deftp + +@deftp {exception type} &jti-found @var{jti} @var{cause} +The @var{jti} of the proof has already been issued in a recent past. +@end deftp + +@deftp {exception type} &unauthorized-redirection-uri @var{manifest} @var{uri} +The authorization @var{uri} is not advertised in @var{manifest}. +@end deftp + +@deftp {exception type} &cannot-serve-public-manifest +You cannot serve the public client manifest. +@end deftp + +@deftp {exception type} &no-client-manifest-registration @var{id} +The @var{id} client manifest does not have a registration triple in +its document. +@end deftp + +@deftp {exception type} &inconsistent-client-manifest-id @var{id} @var{advertised-id} +The client @var{manifest} is being fetched at @var{id}, but it is +valid for another client @var{advertised-id}. +@end deftp + +@deftp {exception type} &authorization-code-expired @var{exp} @var{current-time} +The authorization code has expired at @var{exp}, it is now +@var{current-time}. +@end deftp + +@deftp {exception type} &invalid-refresh-token @var{refresh-token} +The @var{refresh-token} is unknown to the identity provider. +@end deftp + +@deftp {exception type} &invalid-key-for-refresh-token @var{key} @var{jkt} +The refresh token was issued for @var{jkt}, but it is used with +@var{key}. +@end deftp + +@deftp {exception type} &unknown-client-locale @var{web-locale} @var{c-locale} +The @var{web-locale} of the client, translated to C as @var{c-locale}, +cannot be set. This exception is always continuable; if the handler +returns, then the page will be served in the english locale. +@end deftp + +@deftp {exception type} &unsupported-grant-type @var{value} +The token request failed to indicate a @var{value} for the grant type, +or indicated an unsupported grant type. +@end deftp + +@deftp {exception type} &no-authorization-code +The token request forgot to put an authorization code. +@end deftp + +@deftp {exception type} &no-refresh-token +The token request forgot to put a refresh token with the request. +@end deftp + +@deftp {exception type} &unconfirmed-provider @var{subject} @var{provider} +@var{provider} is not confirmed by @var{subject} as an identity +provider. +@end deftp + +@deftp {exception type} &no-provider-candidates @var{webid} @var{causes} +The @var{webid} cannot be certified by any identity providers. The +@var{causes} alist indicates an error for each candidates. +@end deftp + +@deftp {exception type} &neither-identity-provider-nor-webid @var{uri} @var{why-not-identity-provider} @var{why-not-webid} +The @var{uri} you passed to get an authorization code is neither an +identity provider (because @var{why-not-identity-provider}) nor a +webid (because @var{why-not-webid}). +@end deftp + +@deftp {exception type} &token-request-failed @var{cause} +The token request failed on the server. +@end deftp + +@deftp {exception type} &profile-not-found @var{webid} @var{iss} @var{dir} +The @var{webid}, as certified by @var{iss}, cannot be refreshed +because we don’t have a refresh token stored in @var{dir}. +@end deftp + +@node Server-side errors +@section Server-side errors +The resource server implementation may encounter some more exceptional +conditions. + +@deftp {exception type} &path-not-found @var{path} +There is no registered resource at @var{path}. +@end deftp + +@deftp {exception type} &auxiliary-resource-absent @var{path} @var{kind} +The auxiliary resource of given @var{kind} is not instanciated on the +server for the base resource @var{path}. +@end deftp + +@deftp {exception type} &uri-slash-semantics-error @var{path} @var{expected-path} +While the resource at @var{path} does not exist, the resource at +@var{expected-path} does, and @var{path} and @var{expected-path} +differ only by a trailing slash. This exception may be raised along +with @code{&path-not-found}. + +Beware that even if it is true at the time when the exception is +created, maybe the resource has been created by the time it is +handled. +@end deftp + +@deftp {exception type} &cannot-delete-root +There was a request to delete the root storage, which is an error. +@end deftp + +@deftp {exception type} &container-not-empty @var{path} +There was a request to delete a non-empty container. +@end deftp + +@deftp {exception type} &cannot-fetch-group @var{group-uri} @var{cause} +The access control could not fetch the group @var{group-uri} (with a +known @var{cause}). This warning is continuable every time it is +raised. If the handler returns, then the group will be considered +empty. +@end deftp + +@deftp {exception type} &incorrect-containment-triples @var{path} +The client wanted to create or update a resource, and by that it tried +to change the containment triples at @var{path}. +@end deftp + +@deftp {exception type} &unsupported-media-type @var{content-type} +The client wanted to create a resource with the given +@var{content-type}, but it is not accepted, because @var{content-type} +is not recognized as an RDF content type. +@end deftp + +@deftp {exception type} &path-is-auxiliary @var{path} +The client wanted to create a resource that targets an auxiliary +resource, at @var{path}. +@end deftp + +@deftp {exception type} &forbidden @var{path} @var{user} @var{owner} @var{mode} +The @var{user} wanted to do something under @var{path} requiring +@var{mode}, but it is not the @var{owner} and it is forbidden by WAC. +@end deftp + +@deftp {exception type} &precondition-failed @var{path} @var{if-match} @var{if-none-match} @var{real-etag} +The resource under @var{path} has a @var{real-etag} that does not +match the request headers @var{if-match} and @var{if-none-match}. + +If the resource does not exist, @var{real-etag} is set to +@code{#f}. In this case, an exception of type @code{&path-not-found} +is also thrown. +@end deftp + +@deftp {exception type} ¬-acceptable @var{client-accepts} @var{path} @var{content-type} +The client wanted a response with a specific set of +@var{client-accept}ed content-types, but the real @var{content-type} +of the resource under @var{path} cannot be converted to one of them. +@end deftp +@node GNU Free Documentation License +@appendix GNU Free Documentation License + +@include fdl.texi + +@node Index +@unnumbered Index + +@printindex cp + +@bye diff --git a/doc/style.css b/doc/style.css index e2dd04d..9a870f8 100644 --- a/doc/style.css +++ b/doc/style.css @@ -1,4 +1,4 @@ -/* webid-oidc, implementation of the Solid specification +/* disfluid, implementation of the Solid specification Copyright (C) 2020, 2021 Vivien Kraus This program is free software: you can redistribute it and/or modify diff --git a/doc/webid-oidc.texi b/doc/webid-oidc.texi deleted file mode 100644 index e7df400..0000000 --- a/doc/webid-oidc.texi +++ /dev/null @@ -1,1495 +0,0 @@ -\input texinfo @c -*-texinfo-*- -@comment $Id@w{$} -@documentlanguage en -@comment %**start of header -@include version.texi -@settitle Webid-oidc manual -@syncodeindex pg cp -@syncodeindex fn cp -@syncodeindex vr cp -@syncodeindex tp cp -@comment %**end of header - -@copying -This is the manual of webid-oidc (version @value{VERSION}, @value{UPDATED}), an implementation of the Solid authentication protocol for guile, client and server. - -Copyright @copyright{} 2020, 2021 Vivien Kraus -@quotation -Permission is granted to copy, distribute and/or modify this document -under the terms of the GNU Free Documentation License, Version 1.3 or -any later version published by the Free Software Foundation; with no -Invariant Sections, with no Front-Cover Texts, and with no Back-Cover -Texts. A copy of the license is included in the section entitled ``GNU -Free Documentation License'' -@end quotation -@end copying - -@dircategory Software libraries - -@direntry -* webid-oidc: (webid-oidc)Decentralized Authentication on the Web. -@end direntry - -@titlepage -@title Webid-oidc manual -@subtitle for version @value{VERSION}, @value{UPDATED} -@author Vivien Kraus (@email{vivien@@planete-kraus.eu}) -@page -@vskip 0pt plus 1fill -@insertcopying -@end titlepage - -@contents -@ifnottex -@node Top -@top Webid-oidc -@end ifnottex - -@menu -* Decentralized Authentication on the Web:: -* Invoking webid-oidc:: -* The Json Web Token:: -* Caching on server side:: -* Content negociation:: -* Running an Identity Provider:: -* Running a Resource Server:: -* Running a client:: -* Exceptional conditions:: -* GNU Free Documentation License:: -* Index:: -@end menu - -@node Decentralized Authentication on the Web -@chapter Decentralized Authentication on the Web - -Authentication on the web is currently handled in the following way: -anyone can install a server that will authenticate users on the -web. The problem is interoperability. If a client (an application) -wants to authenticate a user, it has to be approved by the -authentication server. In other words, if @var{useful-program} wants -to authenticate @var{MegaCorp} users, then @var{useful-program} has to -register to @var{MegaCorp} first, and get approved. This goes against -the principle of permission-less innovation, which is at the heart of -the web. - -In the decentralized authentication web, the best attempt so far is -that of ActivityPub. All servers are interoperable with respect to -authentication: if user A emits an activity, it is forwarded by A's -server to its recipients, and A's server is responsible for A's -identity. - -The problem with that approach is that the data is tied to the -application. It is not possible to use another application to process -the data differently, or to use multiple data sources, in an -interoperable way (without the ActivityPub server knowing). This means -that on Activitypub, microblogging applications will not present -different activities correctly. This also means that it is difficult -to write a free replacement to a non-free application program, because -it would need to manage the data. - -In the Solid ecosystem, there is a clear distinction between servers -and applications. An application is free to read data from all places -at the same time, using a permission-less authentication system. Since -the applications do not need to store data, the cost of having users -is neglectible, so users do not need prior approval before using them -(making captchas and the like a thing of the past). Servers do not -have a say in which applications the user uses. - -The authentication used is a slight modification of the -well-established OpenID Connect. It is intended to work in a web -browser, but this package demonstrates that it also works without a -web browser. - -@node Invoking webid-oidc -@chapter Invoking webid-oidc - -The @samp{webid-oidc} program provides different modes of operations: - -@table @samp -@item reverse-proxy -Run an authenticating reverse proxy. With this command, you specify a -backend server. When an authenticated user makes a request, you -receive an additional header containing the user’s identity. -@item identity-provider -Run the identity provider only. -@item client-service -The client applications must serve some resources: namely, the client -manifest and the redirect URI. -@item server -Run both an identity provider and a resource server. -@end table - -The server is configured with command-line arguments, and environment -variables. - -@menu -* General options:: -* General server configuration:: -* Configuration for the resource server:: -* Configuration for the identity provider:: -* Configuration for the client service:: -@end menu - -@node General options -@section General options -The server will respond to @samp{-h} and @samp{-v} commands, to get -the help output and the version information. - -The server output (command-line, logs) are localized for the system -administrator. You can control it with the @samp{LANG} environment -variable. So if your locale is not English, you can have the same -commands as in this manual by running with @code{LANG=C}. - -The programs respect the @samp{XDG_DATA_HOME} and -@samp{XDG_CACHE_HOME} to store persistent data and disposable -data. The cache directory can be deleted at any time. If one of these -variables is not set, its value is computed from the @samp{HOME} -environment variable. - -@node General server configuration -@section General server configuration -All servers are published under the Affero GPL, which means that the -service provider needs to publish all changes made to the program to -users over the network. The @samp{webid-oidc} command provides a -@samp{--complete-corresponding-source} option so that the system -administrator can specify a means to download the source. - -The servers will add a @samp{Source:} header in each response, -containing the value of this configuration option. - -The servers can be configured to redirect output and errors to a log -file and an error file, with the @samp{--log-file} and -@samp{--error-file} options. - -The server will listen to port 8080 by default, but this may be -configured with @samp{--port}. Since the servers do not support TLS, -and they only support HTTP/1.1, they are intended to run behind a -reverse proxy (even for the authenticating reverse proxy). - -Finally, the servers are required to know their public name. This is -configured with the @samp{--server-name} option. - -The server will make requests on the world-wide web, for instance to -download client manifests. The requests can be redirected with XML -Catalog, by setting the @samp{XML_CATALOG_FILES} to a space-separated -list of URIs (can be @code{file:} URIs). The requests cannot be -directed to the file system. - -@node Configuration for the resource server -@section Configuration for the resource server -The reverse proxy sets an identity header to authenticated -requests. By default, it is @samp{XXX-Agent}, but it can be configured -with @samp{--header}. - -The reverse proxy is configured to contact a backend URI with -@samp{--backend-uri}. This backend URI should not be directly exposed, -because a malicious user could set the identity header. - -@node Configuration for the identity provider -@section Configuration for the identity provider -The identity provider can only handle one user. If you want to handle -multiple users, it is highly advised to use a different host name for -each user, in case the server is accessed from a web browser. You can -set the identity of the user with @samp{--subject}, and the user’s -password with @samp{--encrypted-password}. - -The encrypted password format is defined by the crypt function in the -C library. For glibc, it looks like this: -@code{$@var{N}$@var{salt}$@var{hash}}, where @var{N} is the algorithm -identifier, @var{salt} is the password salt annd @var{hash} is its -hash. - -The server uses a key, which is not the same thing as the TLS -certificate of the server (remember, the servers don’t support -TLS). It is in the JWK format. You set its file name with -@samp{--key-file}. If the key file does not exist, it will be -generated. - -Finally, the public openid configuration requires you to set the JWKS -URI (@samp{--jwks-uri}), authorization endpoint URI -(@samp{--authorization-endpoint-uri}) and token endpoint URI -(@samp{--token-endpoint-uri}). The identity provider will publish the -full URIs, but will respond to their path, regardless of the host. - -@node Configuration for the client service -@section Configuration for the client service -The client will serve a stupid page for the redirect URI that will -only display the authorization code. The redirect URI is set with -@samp{--redirect-uri}. - -The client ID is set with @samp{--client-id}. This is the URI under -which the client registrationn is served. - -Finally, you can set some cosmetic options, but since it can confuse -the user, they are hidden by default by the identity provider. - -@table @samp -@item --client-name -set the name of the application. -@item --client-uri -set an URI where to find more information about the client. -@end table - -@node The Json Web Token -@chapter The Json Web Token - -The Json Web Token, or @dfn{JWT}, is a terse representation of a pair -of JSON objects: the @dfn{header}, and the @dfn{payload}. The JWT can -be @dfn{encoded} as a Json Web Signature (@dfn{JWS}), in which case -the header is encoded to base64 with the URL alphabet, and without -padding characters, the payload is also encoded to base64, and the -concatenation of the encoding of the header, a dot, and the encoding -of the payload is signed with some cryptography algorithm. In the -following, we will only be interested by public-key cryptography. The -concatenation of header, dot, payload, dot and signature in base64 is -the encoding of the JWT. - -Decoded JWT are represented as a pair. The car of the pair is the -header, and the cdr is the payload. Both the header and the payload -use the JSON representation from srfi-180: objects are alists of -@strong{symbols} to values, arrays are vectors. It is unfortunate that -guile-json has a slightly different representation, where alist keys -are @emph{strings}, but we hope that in the future SRFI-180 will be -more closely respected. - -@menu -* The ID token:: -* The access token:: -* The DPoP proof:: -* Generic JWTs:: -@end menu - -@node The ID token -@section The ID token - -The ID token is a special JWT that the application keeps for -itself. It is signed by the identity provider, and contains the -following claims: - -@table @emph -@item webid -the URI of the user’s webid; -@item iss -the URI of the identity provider (issuer); -@item sub -the username (the webid-oidc issuer puts the webid again here, but it -could be any string); -@item aud -the ID of the client application that is intended to receive the ID -token; -@item nonce -some random data to change the signature; -@item exp -an UTC time (in seconds) for when the token expires; -@item iat -the time when it was issued. -@end table - -There are functions to work with ID tokens in -@emph{(webid-oidc oidc-id-token)}. - -@deffn function id-token? @var{object} -Check that @var{object} is a decoded ID token. -@end deffn - -The following helper functions convert URIs to the URIs from -@emph{(web uri)} and times to @emph{(srfi srfi-19)} dates. - -@deffn function id-token-webid @var{token} -@deffnx function id-token-iss @var{token} -@deffnx function id-token-sub @var{token} -@deffnx function id-token-aud @var{token} -@deffnx function id-token-nonce @var{token} -@deffnx function id-token-exp @var{token} -@deffnx function id-token-iat @var{token} -Get the suitable field from the payload of @var{token}. -@end deffn - -ID tokens can be signed and encoded as a string, or decoded. - -@deffn function id-token-decode @var{token} @var{[#http-get]} -Decode @var{token}, as a string, into a decoded token. The signature -verification will need to fetch the oidc configuration of the claimed -issuer, and check the signature against the published keys. The -@code{http-get} optional keyword argument can set a different -implementation of @code{http-get} from @emph{(web client)}. Return -@code{#f} if it failed, or the decoded token otherwise. -@end deffn - -@deffn function id-token-encode @var{token} @var{key} -Encode @var{token} and sign it with the issuer’s @var{key}. -@end deffn - -@deffn function issue-id-token @var{issuer-key} @var{#alg} @var{#webid} @var{#iss} @var{#sub} @var{#aud} @var{#exp} @var{#iat} -Create an ID token, and encode it with @var{issuer-key}. -@end deffn - -@node The access token -@section The access token - -The access token is obtained by the client through a token request, -and is presented to the server on each authenticated request. It is -signed by the identity provider, and it contains enough information so -that the server knows who the user is and who the agent is, and most -importantly the fingerprint of the key that the client should use in a -DPoP proof. - -The API is defined in @emph{(webid-oidc access-token)}. - -@deffn function access-token? @var{object} -Check that @var{object} is a decoded access token. -@end deffn - -There are field getters for the access token: - -@deffn function access-token-webid @var{token} -@deffnx function access-token-iss @var{token} -@deffnx function access-token-aud @var{token} -@deffnx function access-token-exp @var{token} -@deffnx function access-token-iat @var{token} -@deffnx function access-token-cnf/jkt @var{token} -@deffnx function access-token-client-id @var{token} -Get the suitable field from the payload of @var{token}. -@end deffn - -Access tokens can be signed and encoded as a string, or decoded. - -@deffn function access-token-decode @var{token} @var{[#http-get]} -Decode @var{token}, as a string, into a decoded token. As with the ID -token, the signature verification will need to fetch the oidc -configuration of the claimed issuer, and check the signature against -the published keys. The @code{http-get} optional keyword argument can -set a different implementation of @code{http-get} from -@emph{(web client)}, for instance to re-use the what has been obtained -by the ID token validation. Return @code{#f} if it failed, or the -decoded token otherwise. -@end deffn - -@deffn function access-token-encode @var{token} @var{key} -Encode @var{token} and sign it with the issuer’s @var{key}. -@end deffn - -@deffn function issue-access-token @var{issuer-key} @var{#alg} @var{#webid} @var{#iss} @var{#exp} @var{#iat} @var{[#client-key} @var{|} @var{#cnf/jkt]} @var{#client-id} -Create an access token, and encode it with @var{issuer-key}. You can -either set the @code{#:cnf/jkt} keyword argument with the fingerprint -of the client key, or set @code{#:client-key} directly, in which case -the fingerprint will be computed for you. -@end deffn - -@node The DPoP proof -@section The DPoP proof - -This is a special JWT, that is signed by a key controlled by the -application. The access token certifies that the key used to sign the -proof is approved by the identity provider. - -@deffn function dpop-proof? @var{proof} -Check that the @var{proof} is a decoded DPoP proof. The validity of -the proof is not checked by this function. -@end deffn - -@deffn function dpop-proof-alg @var{proof} -@deffnx function dpop-proof-jwk @var{proof} -@deffnx function dpop-proof-jti @var{proof} -@deffnx function dpop-proof-htm @var{proof} -@deffnx function dpop-proof-htu @var{proof} -@deffnx function dpop-proof-iat @var{proof} -@deffnx function dpop-proof-ath @var{proof} -Get the corresponding field of the proof. -@end deffn - -@deffn function dpop-proof-decode @var{current-time} @var{jti-list} @var{method} @var{uri} @var{str} @var{cnf/check} @var{[#:access-token]} -Check and decode a DPoP proof encoded as @var{str}. - -The @var{current-time} is passed as a date, time or number (of -seconds). - -In order to prevent replay attacks, each proof has a unique random -string that is remembered in @var{jti-list} until its expiration date -is reached. See the @code{make-jti-list} function. - -The proof is limited to the scope of one @var{uri} and one -@var{method} (@code{'GET}, @code{'POST} and so on). - -The key that is used to sign the proof should be confirmed by the -identity provider. To this end, the @var{cnf/check} function is called -with the fingerprint of the key. The function should check that the -fingerprint is OK (return a boolean). - -Finally, when the DPoP proof is tied to an access token (so, for all -uses except requesting an access token or a refresh token), it must be -bound to an @var{access-token}. -@end deffn - -@deffn function make-jti-list -This function in @emph{(webid-oidc jti-list)} creates an in-memory, -async-safe, thread-safe cache for the proof IDs. -@end deffn - -@deffn function dpop-proof-encode @var{proof} @var{key} -Encode the proof and sign it with @var{key}. To generate valid proofs, -@var{key} should be the private key corresponding to the @code{jwk} -field of the proof. -@end deffn - -@deffn function issue-dpop-proof @var{client-key} @var{#alg} @var{#htm} @var{#htu} @var{#iat} {[#:@var{access-token}=#f]} -Create a proof, sign it and encode it with -@var{client-key}. @var{client-key} should contain both the private and -public key, because the public part is written in the proof and the -private part is used to sign it. For most uses, the DPoP proof should -be encoded for a specific access token. Only token requests should -omit the @samp{access-token} field. -@end deffn - -@node Generic JWTs -@section Generic JWTs - -You can parse generic JWTs signed with JWS with the following -functions from @emph{(webid-oidc jws)}. - -@deffn function jws? @var{jwt} -Check that @var{jwt} is a decoded JWT signed with JWS. -@end deffn - -@deffn function jws-alg @var{jwt} -Get the algorithm used to sign @var{jwt}. -@end deffn - -@deffn function jws-decode @var{str} @var{lookup-keys} -Check and decode a JWT signed with JWS and encoded as @var{str}. - -Since the decoding and signature verification happen at the same time -(for user friendliness), the @var{lookup-keys} function is used. It is -passed as arguments the decoded JWT (but the signature is not checked -yet), and it should return a public key, a public key set or a list of -public keys. If the key lookup failed, this function should raise an -exception. -@end deffn - -@deffn function jws-encode @var{jwt} @var{key} -Encode the JWT and sign it with @var{key}. -@end deffn - -@node Caching on server side -@chapter Caching on server side - -Both the identity provider and the resource server need to cache -things. The identity provider will cache application webids, and the -resource server will cache the identity provider keys, for instance. - -The solution is to use a file-system cache. Every response (except -those that have a cache-control policy of no-store) are stored to a -sub-directory of @emph{XDG_CACHE_HOME}. Each store has a 5% chance of -triggering a cleanup of the cache. When a cleanup occurs, each cached -response has a 5% chance of being dropped, including responses that -are indicated as valid. This way, a malicious cache response that has -a maliciously long validity will not stay too long in the cache. A log -line will indicate which items are dropped. - -The @emph{(webid-oidc cache)} module exports two functions to deal -with the cache. - -@deffn function clean-cache @var{[#percents]} @var{[#dir]} -Drop @var{percents}% of the cache right now, in @var{dir} (defaults to -some place within @emph{XDG_CACHE_HOME}). -@end deffn - -@deffn function with-cache @var{[#current-time]} @var{[#http-get]} @var{[#dir]} -Return a function acting as @emph{http-get} from @emph{(web client)} -(takes an URI as the first parameter, and an optional @var{#:headers} -set, and returns 2 values, the response and its body). - -The cache will be read and written in @var{dir} (defaults to some -place within @emph{XDG_CACHE_HOME}), and the @var{current-time} number -of seconds, SRFI-19 time or date, or time-returning thunk will be used -to check for the validity of responses. - -The back-end function, @var{http-get}, defaults to that of -@emph{(web client)}. -@end deffn - -@node Content negociation -@chapter Content negociation -There are a number of different available syntaxes for RDF, some being -simple and human readable like @emph{turtle}, and others more adapted -to the JavaScript ecosystem like @emph{json-ld}. To help clients both -from and outside of the JS ecosystem, the server needs to perform -@dfn{content negociation}, i.e. convert from one content-type to -another. - -@deffn {function from @code{(webid-oidc serve)}} convert @var{client-accepts} @var{server-name} @var{path} @var{content-type} @var{content} -Convert the resource representation under @var{path} on -@var{server-name}, which has a given @var{content-type} and -@var{content}, to a content-type that the @var{client accepts}. - -Return 2 values: -@enumerate -@item -the accepted content-type; -@item -the content in the given content-type. -@end enumerate - -Currently, the only conversions are from and to @emph{Turtle} and -@emph{N-Quads}. -@end deffn - -@node Running an Identity Provider -@chapter Running an Identity Provider - -This project is packaged with a barebones identity provider. It has an -authorization endpoint and a token endpoint (and it serves its public -keys), but it is only intended for one specific person. - -You can start it by invoking the @code{webid-oidc} program with the -@code{issuer} command, with the following options: - -@table @asis -@item @code{-h}, or @code{--help} -prints a summary of options and exit. -@item @code{-v}, or @code{--version} -prints the version of the program and exits. -@item @code{-n @var{URI}}, or @code{--server-name=@var{URI}} -sets the global server name of the identity provider. It should have -an empty path. -@item @code{-k @var{FILE.jwk}}, or @code{--key-file=@var{FILE.jwk}} -sets the file name where to read or generate a key for the identity -provider. This file should be JSON, containing the representation of a -JWK key pair. -@item @code{-s @var{WEBID}}, or @code{--subject=@var{WEBID}} -sets the webid of the only user of the identity provider. This is an -URI, pointing to a RDF node corresponding to the user’s profile. -@item @code{-w @var{PASSWORD}}, or @code{--password=@var{PASSWORD}} -sets the password that the user must enter to authorize an -application. -@item @code{-j @var{URI}}, or @code{--jwks-uri=@var{URI}} -tells the server that requests to @var{URI} should be responded with -the public key used to sign the tokens. -@item @code{-a @var{URI}}, or @code{--authorization-endpoint-uri=@var{URI}} -tells the server that requests to @var{URI} should be treated as -authorization requests. -@item @code{-t @var{URI}}, or @code{--token-endpoint-uri=@var{URI}} -tells the server that requests to @var{URI} should be treated as token -negociation requests. -@item @code{-p @var{PORT}}, or @code{--port=@var{PORT}} -change the port number used by the server. By default, it is set to -8080. -@item @code{-l @var{FILE.log}}, or @code{--log-file=@var{FILE.log}} -let the server dump all its output to @var{FILE.log}. Since I don’t -know how to deal with syslog, this is the only way to keep logs with a -shepherd service. -@item @code{-e @var{FILE.err}}, or @code{--error-file=@var{FILE.err}} -let the server dump all its errors to @var{FILE.err}. -@end table - -The program is sensitive to the environment variables. The most -important one is @emph{LANG}, which influences how the program is -internationalized to the server administrator (the pages served to the -user use the user agent’s locale). This changes the long form of the -options, and the language in the log files. - -The @emph{XDG_DATA_HOME} should point to some place where the program -will store refresh tokens, under the @code{webid-oidc} directory. For -a system service, you might want to define that environment to -@code{/var/lib}, for instance. - -The @emph{XDG_CACHE_HOME} should point to a directory where to store -the seed of the random number generator (under a @code{webid-oidc} -directory, again). Changing the seed only happens when a program -starts to require the random number generator. You can safely delete -this directory, but you need to restart the program to actually change -the seed. - -@node Running a Resource Server -@chapter Running a Resource Server - -@menu -* Running webid-oidc reverse-proxy:: -* The authenticator:: -* The full server:: -* Resources stored on the server:: -@end menu - -A Solid server is the server that manages your data. It needs to check -that the proofs of possession are correct, and the possessed key is -signed by the identity provider. - -@node Running webid-oidc reverse-proxy -@section Running webid-oidc reverse-proxy - -The @code{webid-oidc} program comes with a reverse proxy command, -aptly named @code{reverse-proxy}, to listen to an interface, take -requests, authenticate them, and pass them to a backend with an -additional header containing the webid of the agent, if authenticated. - -The reverse proxy is invoked with the following arguments: - -@table @asis -@item @code{-p}@var{PORT}, @code{--port=}@var{PORT} -the port on which the reverse proxy listens; -@item @code{-n}@var{URI}, @code{--server-name=}@var{URI} -the public name of the server; -@item @code{-b}@var{URI}, @code{--backend-uri=}@var{URI} -the address of the backend; -@item @code{-H}@var{HEADER}, @code{--header=}@var{HEADER} -replace the name of the header that will contain the webid of the -user. Defaults to @code{XXX-Agent}. Please note that this value should -be ASCII, otherwise it’s not guaranteed that the reverse proxy will -drop other capitalizations of the header in malicious requests; -@item @code{-l @var{FILE.log}}, or @code{--log-file=@var{FILE.log}} -let the server dump all its output to @var{FILE.log}. See the identity -provider comment; -@item @code{-e @var{FILE.err}}, or @code{--error-file=@var{FILE.err}} -let the server dump all its errors to @var{FILE.err}. -@end table - -You can localize the interface by setting the @var{LANG} environment -variable. - -@node The authenticator -@section The authenticator - -In @emph{(webid-oidc resource-server)}, the following function gives a -simple API for a web server: - -@deffn function make-authenticator @var{jti-list} @var{[#server-uri]} @var{[#current-time]} @var{[#http-get]} -Create an authenticator, i.e. a function that takes a request and -request body and returns the webid of the authenticated user, or -@code{#f} if it is not authenticated. - -To prevent replay attacks, each request is signed by the client with a -different unique padding value. If such a value has already been seen, -then the request must fail. - -The authenticator expects the client to demonstrate the possession of -a key that the identity provider knows. So the client creates a DPoP -proof, targetted to a specific URI. In order to check that the URI is -correct, the authenticator needs the public URI of the service. - -The JTIs are checked within a small time frame. By default, the system -time will be used. Otherwise, you can customize the -@code{current-time} optional keyword argument, to pass a thunk -returning a time from @emph{(srfi srfi-19)}. - -You may want to customize the @var{http-get} optional keyword argument -to pass a function to replace @code{http-get} from @emph{(http -client)}. This function takes an URI and optional @code{#:headers} -arguments, makes the request, and return two values: the response, and -the response body. - -This function, in @emph{(webid-oidc resource-server)}, returns a web -request handler, taking the request and request body, and returning -the subject of the access token. If an error happens, it is thrown; -the function always returns a valid URI. -@end deffn - -@node The full server -@section The full server - -@deffn {function from @emph{(webid-oidc resource-server)}} make-server @var{[#:server-uri]} @var{[#:owner]} @var{[#:authenticator]} @var{[#:current-time]} @var{[#:http-get]} -Return a server handler, a function taking 2 values, a request and a -request body, and returning 2 values, the response and response body. - -The optional @var{[#:authenticator]} argument defaults to the -webid-oidc authenticator, @var{[#:current-time]} defaults to a thunk -returning the system time and @var{[#:http-get]} to the web client -from @emph{(web client)}. -@end deffn - -@node Resources stored on the server -@section Resources stored on the server - -To store and serve resources, the server has two distinct -mechanisms. A @dfn{content} is a read-only possible value for a -resource, indexed by etags, and a @dfn{path} is a mutable value that -indicates the etag of the resource, and of the auxiliary resources -(description and ACL). With this separation, it is possible to -atomically delete a resource and all associated auxiliary resources, -by unlinking the corresponding @emph{path}. It is also possible to -mutate separately the ACL and the resource itself without writing a -copy for both. - -The @emph{content} API is contained in the -@code{(webid-oidc server resource content)} module. - -@deffn function with-session @var{f} [@var{#:dir}] -Call @var{f} with 5 arguments: -@itemize -@item -a function to get the content-type of a given etag; -@item -a function to list the paths contained within the resource; -@item -a function to load the content of a given etag; -@item -a function to create a new content; -@item -a function to remove a content from the file system. It is still -possible to query it with the first 3 functions, but new sessions will -not see it. -@end itemize - -Since the contents are read-only, it is possible to cache the value of -the content in memory. This is why @var{f} should run within a session -with memoization. - -Resources only store @emph{static} content, because the membership -triples for containers is considered dynamic and not included in the -representation. - -The first 3 functions as well as the last one are called with an etag, -and the function to create a content is called with the content-type, -list of contained paths, and (static) content. - -By default, the contents are stored within @var{XDG_DATA_HOME}, but it -can be overriden by @var{#:dir}. -@end deffn - -The @emph{path} API is defined in -@code{(webid-oidc server resource path)}. - -@deffn function read-path @var{path} -Read the resource at @var{path}, and return 2 values: -@enumerate -@item -the ETag of the main resource; -@item -an alist where keys are auxiliary resource type URIs (the type is from -@code{(web uri)}), and the values are ETags of the corresponding -resource. -@end enumerate - -If the resource is not found, raise an exception with type -@code{&path-not-found}, and maybe @code{&uri-slash-semantics-error} if -a resource with a different ending-in-slash exists. - -This function is safe to call when the path is being modified, either -by another thread, process or else, as the returned values will always -be consistent. However, once the function returns, an updating process -may have deleted the returned ETags. If this is the case, then you -must call this function again to read the updated path. -@end deffn - -@deffn function update-path @var{path} @var{f} @var{content-type} @var{contained} @var{static-content} @var{create} @var{delete} [@var{#:create-intermediate-containers?}=@code{#f}] -Read @var{path}, call @var{f} with two values: the ETag and the -auxiliary ETags (as returned by @var{read-path}), and update the path -accordingly. If @var{path} does not exist, then the first argument is -@code{#f} and the second one is the empty list. - -If @var{f} returns @code{#f}, then the resource is deleted. - -If @var{f} returns an ETag as the first returned value and an alist of -auxiliary resource ETags as the second value, then the resource is -updated. - -The last functions are from the content API. Since creating or -deleting children requires updating the parent, we need them. - -Some operations should create the intermediate containers for a given -path, this is the case for the @code{PUT} HTTP verb. For @code{POST}, -the parent should exist. The @var{#:create-intermediate-containers?} -switch lets you change the behavior. In any case, it is an error to -delete a non-empty container. - -The update is atomic, meaning that at any point in time the file is -fully written out. Concurrent access to the same resource is performed -by locking the lock file named @var{X}/.lock, where @var{X} is the -first character of the base64-url sha-256 hash of the -path. @strong{The lock file is not meant to be removed} when the -resource is unlocked. It should be locked with @code{flock} -instead. @strong{Like other forms of lock-based synchronization, this -function is not composable}. This means that you cannot call this -function within @var{f}, otherwise a deadlock may ensue. - -If the resource is created or deleted, then the parent resource is -updated as well. To avoid deadlocks with other processes, please -follow the following rules: lock the path, then lock the parent path, -then update the parent, then unlock the parent, and finally unlock the -child path. -@end deffn - -The Web Access Control specification defines an RDF vocabulary to -check whether a given user is allowed to perform some operations. The -@code{(webid-oidc server resource wac)} helps you do that. - -@deffn function wac-get-modes @var{server-name} @var{path} @var{user} @var{[#:http-get]} -Return the list of modes that are allowed for @var{user} accessing -@var{path}. The @var{server-name} URI is required to find the relevant -triples in the ACL. If @var{user} is unauthenticated, pass @code{#f}. - -Please note that in any case, the data owner should have all rights -whatsoever, bypassing WAC. Otherwise, it is possible to steal control -away from the data owner. -@end deffn - -@deffn function check-acl-can-read @var{server-name} @var{path} @var{owner} @var{user} @var{[#:http-get]} -@deffnx function check-acl-can-write @var{server-name} @var{path} @var{owner} @var{user} @var{[#:http-get]} -@deffnx function check-acl-can-append @var{server-name} @var{path} @var{owner} @var{user} @var{[#:http-get]} -@deffnx function check-acl-can-control @var{server-name} @var{path} @var{owner} @var{user} @var{[#:http-get]} -Assert that the resource at @var{path} on @var{server-name} is owned -by @var{owner}, and check that @var{user} has the proper -authorization. Otherwise, raise an exception of type -@code{&forbidden}. -@end deffn - -@node Running a client -@chapter Running a client - -To run a client, you need to proceed in two steps. First, acquire an -OIDC ID token and an access token from the identity provider, and then -present the access token and a proof of possession of the linked key -in each request, in a DPoP HTTP header. - -The first operation is performed by the @emph{(webid-oidc client)} -module. - -@deffn function authorize @var{host/webid} @var{#client-id} @var{#redirect-uri} @var{[#state]} @var{[#http-get]} -The user enters a valid webid or a host name, and then this function -will query it (with the @var{http-get} parameter, by default the web -client from @emph{(web client)}) to determine the authorization -endpoint. The function will return an alist of authorization URIs, -indexed by approved identity provider URIs, that the user should -browse with a traditional web browser. - -Each application should have its own webid, or in that case -@var{client-id}, that can be dereferenced by the identity provider. - -Once the user has given authorization, the user’s agent will be -redirected to @var{redirect-uri}, with the authorization code as a GET -parameter. It is possible to pass a @var{state}, but this is optional. -@end deffn - -Once the client gets the authorization code, it is necessary to create -an access token and ID token. - -@deffn function token @var{host} @var{client-key} @var{[#authorization-code]} @var{[#refresh-token]} @var{[#http-get]} @var{[#http-post]} @var{[#current-time]} -Trade an @var{authorization-code}, or a @var{refresh-token}, for an ID -token and an access token bound to the @var{client-key} issued by -@var{host}, the identity provider. - -You can override the HTTP client used (@var{http-get} and -@var{http-post}), and how to compute the time (@var{current-time}). -@end deffn - -In an application, you would have a list of profiles in XDG_DATA_HOME, -consisting of triples (webid, issuer, refresh token). - -@deffn function list-profiles @var{[#dir]} -Read the list of available profiles. Returns a list of triples, webid, -issuer, reresh token. - -By default, this function will look for the profiles file in -@var{XDG_DATA_HOME}. You can bypass it by providing the @var{#dir} -optional keyword argument. -@end deffn - -@deffn function setup @var{get-host/webid} @var{choose-provider} @var{browse-authorization-uri} @var{#client-id} @var{#redirect-uri} @var{[#dir]} @var{[#http-get]} @var{[#http-post]} @var{[#current-time]} -Negociate a refresh token, and save it. The function returns 3 values: -the decoded ID token pyload, the encoded access token and the key -pair. - -The @var{get-host/webid} thunk should ask the user’s webid or identity -provider, and return it. @var{choose-provider} is called with a list -of possible identity providers as host names (strings), and the user -should choose one. The chosen one is returned. Finally, -@var{browse-authorization-uri} should ask or let the user browse an -URI as its argument, and return the authorization code taken from the -redirect URI. - -The refresh token is saved to disk, as a profile, in -XDG_DATA_HOME. Pass the optional @var{#dir} keyword argument to -override the location. - -You need to set @var{client-id} to the public webid of the app, and -@var{redirect-uri} to one of the approved redirection URIs for the -application ID. -@end deffn - -@deffn function login @var{webid} @var{issuer} @var{refresh-token} @var{key} @var{[#dir]} @var{[#http-get]} @var{[#http-post]} @var{[#current-time]} -If you have already a known profile, you can use it to automatically -log in. This function might update the refresh token if it changed, so -you can again set @var{#dir}. Please note that the @var{refresh-token} -is bound to the client @var{key} on server side, so you must always -use the same @var{key}. -@end deffn - -@deffn function refresh @var{id-token} @var{key} @var{[#dir]} @var{[#http-get]} @var{[#http-post]} @var{[#current-time]} -If you have an ID token bound to a known profile, this helper function -will look up the associated refresh token and log in. -@end deffn - -@deffn function make-client @var{id-token} @var{access-token} @var{key} @var{[#dir]} @var{[#http-get]} @var{[#http-post]} @var{[#http-request]} @var{[#current-time]} -Return a replacement of @code{http-request} from @emph{(web client)}, -that automatically signs requests and refresh the tokens when needed. - -@var{#http-get} and @var{#http-post} are only used to refresh the -tokens, while @var{#http-request} is used as a back-end for the -requests. - -@var{#current-time} is set to a thunk that returns the time. It is -used to issue DPoP proofs. -@end deffn - -An example application is provided as the -@code{webid-oidc-example-app} program. It demonstrates how -authentication is done. It should help you understand how webid-oidc -works. - -The identity provider needs to call the application on the web. So, -your client should have a public endpoint on the web. - -@deffn function serve-application @var{id} @var{redirect-uri} @var{[#client-name]} @var{[#client-uri]} -Return a handler for web requests to serve the application manifest -and the redirection to transmit the authorization code. You should set -the @var{client-name} to your application name and @var{client-uri} to -point to where to a presentation of your application. -@end deffn - -The @code{webid-oidc} @code{client-service} command can run a server -to serve these resources. It is invoked with the following options: - -@table @asis -@item @code{-h}, or @code{--help} -prints a summary of the options and exit. -@item @code{-v}, or @code{--version} -prints the version of the program and exits. -@item @code{-c @var{URI}}, or @code{--client-id=@var{URI}} -sets the global identitifier of the application, which is dereferenced -to a semantic resource. -@item @code{-r @var{URI}}, or @code{--redirect-uri=@var{URI}} -sets the redirection URI. -@item @code{-C @var{NAME}}, or @code{--client-name=@var{NAME}} -sets the name of your application, so that it is shown when the user -gets an authorization. The webid-oidc issuer program that comes with -this package does not display it, because it could be dishonest, but -other implementations might. -@item @code{-u @var{URI}}, or @code{--client-uri=@var{URI}} -sets an URI for the identity provider to learn more about your app. -@item @code{-p @var{PORT}}, or @code{--port=@var{PORT}} -change the port number used by the server. By default, it is set to -8080. -@item @code{-l @var{FILE.log}}, or @code{--log-file=@var{FILE.log}} -let the server dump all its output to @var{FILE.log}. -@item @code{-e @var{FILE.err}}, or @code{--error-file=@var{FILE.err}} -let the server dump all its errors to @var{FILE.err}. -@end table - -The command is sensitive to the environment variable @emph{LANG}, -which influences how the program is internationalized to the server -administrator. This changes the long form of the options, and the -language in the log files. - -@node Exceptional conditions -@chapter Exceptional conditions - -The library will raise an exception whenever something fishy -occurs. For instance, if a signature is invalid, or the expiration -date has passed. All exception types are defined in -@code{(webid-oidc errors)}. - -@deffn function error->str @var{error} @var{[#depth]} -Return a string explaining the @var{error}. You can limit the -@var{depth} of the explanation as an integer. -@end deffn - -@menu -* Invalid data format:: -* Invalid JWT:: -* Cannot fetch data on the web:: -* Other errors in the protocol or from a reasonable implementation:: -* Server-side errors:: -@end menu - -@node Invalid data format -@section Invalid data format -There are a few JSON objects with required fields. This exceptions -usually occur as the cause of a higher-level exception. - -@deftp {exception type} ¬-base64 @var{value} @var{cause} -This exception is raised when the base64 decoding function -failed. @var{value} is the incorrect input, and @var{cause} is a -low-level error. -@end deftp - -@deftp {exception type} ¬-json @var{value} @var{cause} -Cannot decode @var{value} to a JSON object. -@end deftp - -@deftp {exception type} ¬-turtle @var{value} @var{cause} -Cannot decode @var{value} to a RDF graph. -@end deftp - -@deftp {exception type} &incorrect-webid-field @var{value} -The @var{value} of the webid field in the JWT is missing (if -@code{#f}), or not an acceptable value. -@end deftp - -@deftp {exception type} &incorrect-iss-field @var{value} -The @var{value} of the iss field is incorrect. -@end deftp - -@deftp {exception type} &incorrect-aud-field @var{value} -The @var{value} of the aud field is incorrect. -@end deftp - -@deftp {exception type} &incorrect-iat-field @var{value} -The @var{value} of the iat field is incorrect. -@end deftp - -@deftp {exception type} &incorrect-exp-field @var{value} -The @var{value} of the exp field is incorrect. -@end deftp - -@deftp {exception type} &incorrect-cnf/jkt-field @var{value} -The @var{value} of the cnf/jkt field is incorrect. -@end deftp - -@deftp {exception type} &incorrect-client-id-field @var{value} -The @var{value} of the client-id field is incorrect. -@end deftp - -@deftp {exception type} &incorrect-typ-field @var{value} -The @var{value} of the typ field in the DPoP proof header is -incorrect. -@end deftp - -@deftp {exception type} &incorrect-jwk-field @var{value} @var{cause} -The @var{value} of the jwk field in the DPoP proof header is -incorrect. -@end deftp - -@deftp {exception type} &incorrect-jti-field @var{value} -The @var{value} of the jti field in the DPoP proof is incorrect. -@end deftp - -@deftp {exception type} &incorrect-htm-field @var{value} -The @var{value} of the htm field in the DPoP proof is incorrect. -@end deftp - -@deftp {exception type} &incorrect-htu-field @var{value} -The @var{value} of the htu field in the DPoP proof is incorrect. -@end deftp - -@deftp {exception type} &incorrect-ath-field @var{value} -The @var{value} of the ath field is not the hash of the access token. -@end deftp - -@deftp {exception type} &incorrect-redirect-uris-field @var{value} -The @var{value} of the redirect-uris field of a client manifest is -incorrect. -@end deftp - -@deftp {exception type} &incorrect-typ-field @var{value} -The @var{value} of the typ field in the DPoP proof header is -incorrect. -@end deftp - -@deftp {exception type} &incorrect-sub-field @var{value} -The @var{value} of the sub field is incorrect. -@end deftp - -@deftp {exception type} &incorrect-iss-field @var{value} -The @var{value} of the iss field is incorrect. -@end deftp - -@deftp {exception type} &incorrect-nonce-field @var{value} -The @var{value} of the nonce field in the DPoP proof is incorrect. -@end deftp - -@deftp {exception type} &incorrect-htm-field @var{value} -The @var{value} of the htm field in the DPoP proof is incorrect. -@end deftp - -@deftp {exception type} ¬-a-client-manifest @var{value} @var{cause} -The @var{client-manifest} is incorrect. -@end deftp - -@node Invalid JWT -@section Invalid JWT -Each JWT type – access token, DPoP proof, ID token, authorization code -(this is internal to the identity provider) has different validation -rules, and can fail in different ways. - -@deftp {exception type} &unsupported-crv @var{crv} -The identifier @var{crv} does not identify an elliptic curve. -@end deftp - -@deftp {exception type} ¬-a-jwk @var{value} @var{cause} -@var{value} does not identify a JWK. -@end deftp - -@deftp {exception type} ¬-a-public-jwk @var{value} @var{cause} -@var{value} does not identify a public JWK. -@end deftp - -@deftp {exception type} ¬-a-private-jwk @var{value} @var{cause} -@var{value} does not identify a private JWK. -@end deftp - -@deftp {exception type} ¬-a-jwks @var{value} @var{cause} -@var{value} does not identify a set of public keys. -@end deftp - -@deftp {exception type} &unsupported-alg @var{value} -@var{value} does not identify a valid hash algorithm. -@end deftp - -@deftp {exception type} &invalid-signature @var{key} @var{payload} @var{signature} -@var{key} has not signed @var{payload} with @var{signature}. -@end deftp - -@deftp {exception type} &missing-alist-key @var{value} @var{key} -@var{value} isn’t an alist, or is missing a value with @var{key}. -@end deftp - -@deftp {exception type} ¬-a-jws-header @var{value} @var{cause} -@var{value} does not identify a decoded JWS header. -@end deftp - -@deftp {exception type} ¬-a-jws-payload @var{value} @var{cause} -@var{value} does not identify a decoded JWS payload. -@end deftp - -@deftp {exception type} ¬-a-jws @var{value} @var{cause} -@var{value} does not identify a decoded JWS. -@end deftp - -@deftp {exception type} ¬-in-3-parts @var{string} @var{separator} -@var{string} cannot be split into 3 parts with @var{separator}. -@end deftp - -@deftp {exception type} &no-matching-key @var{candidates} @var{alg} @var{payload} @var{signature} -No key among @var{candidates} could verify @var{signature} signed with -@var{alg} for @var{payload}, because the signature mismatched for all -keys. -@end deftp - -@deftp {exception type} &cannot-decode-jws @var{value} @var{cause} -The @var{value} string is not an encoding of a valid JWS. -@end deftp - -@deftp {exception type} &cannot-encode-jws @var{jws} @var{key} @var{cause} -The @var{jws} cannot be signed. -@end deftp - -@deftp {exception type} ¬-an-access-token @var{value} @var{cause} -The @var{value} is not an access token. -@end deftp - -@deftp {exception type} ¬-an-access-token-header @var{value} @var{cause} -The @var{value} is not an access token header. -@end deftp - -@deftp {exception type} ¬-an-access-token-payload @var{value} @var{cause} -The @var{value} is not an access token payload. -@end deftp - -@deftp {exception type} &cannot-decode-access-token @var{value} @var{cause} -The @var{value} string is not an encoding of a valid access token. -@end deftp - -@deftp {exception type} &cannot-encode-access-token @var{access-token} @var{key} @var{cause} -The @var{access-token} cannot be signed. -@end deftp - -@deftp {exception type} ¬-a-dpop-proof @var{value} @var{cause} -The @var{value} is not a DPoP proof. -@end deftp - -@deftp {exception type} ¬-a-dpop-proof-header @var{value} @var{cause} -The @var{value} is not a DPoP proof header. -@end deftp - -@deftp {exception type} ¬-a-dpop-proof-payload @var{value} @var{cause} -The @var{value} is not a DPoP proof payload. -@end deftp - -@deftp {exception type} &cannot-decode-dpop-proof @var{value} @var{cause} -The @var{value} string is not an encoding of a valid DPoP proof. -@end deftp - -@deftp {exception type} &cannot-encode-dpop-proof @var{dpop-proof} @var{key} @var{cause} -The @var{dpop-proof} cannot be signed. -@end deftp - -@deftp {exception type} ¬-an-authorization-code @var{value} @var{cause} -The @var{value} is not an authorization code. -@end deftp - -@deftp {exception type} ¬-an-authorization-code-header @var{value} @var{cause} -The @var{value} is not an authorization code header. -@end deftp - -@deftp {exception type} ¬-an-authorization-code-payload @var{value} @var{cause} -The @var{value} is not an authorization code payload. -@end deftp - -@deftp {exception type} &cannot-decode-authorization-code @var{value} @var{cause} -The @var{value} string is not an encoding of a valid authorization -code. -@end deftp - -@deftp {exception type} &cannot-encode-authorization-code @var{authorization-code} @var{key} @var{cause} -The @var{authorization-code} cannot be signed. -@end deftp - -@deftp {exception type} ¬-an-id-token @var{value} @var{cause} -The @var{value} is not an ID token. -@end deftp - -@deftp {exception type} ¬-an-id-token-header @var{value} @var{cause} -The @var{value} is not an ID token header. -@end deftp - -@deftp {exception type} ¬-an-id-token-payload @var{value} @var{cause} -The @var{value} is not an ID token payload. -@end deftp - -@deftp {exception type} &cannot-decode-id-token @var{value} @var{cause} -The @var{value} string is not an encoding of a valid ID token. -@end deftp - -@deftp {exception type} &cannot-encode-id-token @var{id-token} @var{key} @var{cause} -The @var{id-token} cannot be signed. -@end deftp - -@node Cannot fetch data on the web -@section Cannot fetch data on the web -In the client (local and public parts), resource server and identity -provider, the protocol requires to fetch data on the web. - -@deftp {exception type} &request-failed-unexpectedly @var{response-code} @var{response-reason-phrase} -We expected the request to succeed, but the server sent a non-OK -@var{response-code}. -@end deftp - -@deftp {exception type} &unexpected-header-value @var{header} @var{value} -We did not expect the server to respond with @var{header} set to -@var{value}. -@end deftp - -@deftp {exception type} &unexpected-response @var{response} @var{cause} -The @var{response} (from @emph{(web response)}) is not appropriate. -@end deftp - -@deftp {exception type} ¬-an-oidc-configuration @var{value} @var{cause} -The @var{value} is not appropriate an OIDC configuration. -@end deftp - -@deftp {exception type} &cannot-fetch-issuer-configuration @var{issuer} @var{cause} -It is impossible to fetch the configuration of @var{issuer}. -@end deftp - -@deftp {exception type} &cannot-fetch-jwks @var{issuer} @var{uri} @var{cause} -It is impossible to fetch the keys of @var{issuer} at @var{uri}. -@end deftp - -@deftp {exception type} &cannot-fetch-linked-data @var{uri} @var{cause} -Could not fetch the graph referenced by @var{uri}. -@end deftp - -@deftp {exception type} &cannot-fetch-client-manifest @var{id} @var{cause} -Could not fetch a client manifest at @var{id}. -@end deftp - -@node Other errors in the protocol or from a reasonable implementation -@section Other errors in the protocol or from a reasonable implementation -The protocol does not rely solely on JWT validation, so these errors -may happen too. - -@deftp {exception type} &dpop-method-mismatch @var{signed} @var{requested} -The method value @var{signed} in the DPoP proof does not match the -method that is @var{requested} on the server. -@end deftp - -@deftp {exception type} &dpop-uri-mismatch @var{signed} @var{requested} -The URI value @var{signed} in the DPoP proof does not match the URI -that is @var{requested} on the server. -@end deftp - -@deftp {exception type} &dpop-signed-in-future @var{signed} @var{current} -The proof is @var{signed} for a date which is too much ahead of the -@var{current} time. -@end deftp - -@deftp {exception type} &dpop-too-old @var{signed} @var{current} -The proof was @var{signed} at a past date of @var{current}. -@end deftp - -@deftp {exception type} &dpop-unconfirmed-key @var{key} @var{expected} @var{cause} -The confirmation of @var{key} is not what is @var{expected}, or (if a -function was passed as @var{cnf/check}) the @var{cause} exception -occurred while confirming. -@end deftp - -@deftp {exception type} &dpop-invalid-access-token-hash @var{hash} @var{access-token} -The @var{access-token} passed to the resource server does not match -the @var{hash} provided in the DPoP proof. -@end deftp - -@deftp {exception type} &jti-found @var{jti} @var{cause} -The @var{jti} of the proof has already been issued in a recent past. -@end deftp - -@deftp {exception type} &unauthorized-redirection-uri @var{manifest} @var{uri} -The authorization @var{uri} is not advertised in @var{manifest}. -@end deftp - -@deftp {exception type} &cannot-serve-public-manifest -You cannot serve the public client manifest. -@end deftp - -@deftp {exception type} &no-client-manifest-registration @var{id} -The @var{id} client manifest does not have a registration triple in -its document. -@end deftp - -@deftp {exception type} &inconsistent-client-manifest-id @var{id} @var{advertised-id} -The client @var{manifest} is being fetched at @var{id}, but it is -valid for another client @var{advertised-id}. -@end deftp - -@deftp {exception type} &authorization-code-expired @var{exp} @var{current-time} -The authorization code has expired at @var{exp}, it is now -@var{current-time}. -@end deftp - -@deftp {exception type} &invalid-refresh-token @var{refresh-token} -The @var{refresh-token} is unknown to the identity provider. -@end deftp - -@deftp {exception type} &invalid-key-for-refresh-token @var{key} @var{jkt} -The refresh token was issued for @var{jkt}, but it is used with -@var{key}. -@end deftp - -@deftp {exception type} &unknown-client-locale @var{web-locale} @var{c-locale} -The @var{web-locale} of the client, translated to C as @var{c-locale}, -cannot be set. This exception is always continuable; if the handler -returns, then the page will be served in the english locale. -@end deftp - -@deftp {exception type} &unsupported-grant-type @var{value} -The token request failed to indicate a @var{value} for the grant type, -or indicated an unsupported grant type. -@end deftp - -@deftp {exception type} &no-authorization-code -The token request forgot to put an authorization code. -@end deftp - -@deftp {exception type} &no-refresh-token -The token request forgot to put a refresh token with the request. -@end deftp - -@deftp {exception type} &unconfirmed-provider @var{subject} @var{provider} -@var{provider} is not confirmed by @var{subject} as an identity -provider. -@end deftp - -@deftp {exception type} &no-provider-candidates @var{webid} @var{causes} -The @var{webid} cannot be certified by any identity providers. The -@var{causes} alist indicates an error for each candidates. -@end deftp - -@deftp {exception type} &neither-identity-provider-nor-webid @var{uri} @var{why-not-identity-provider} @var{why-not-webid} -The @var{uri} you passed to get an authorization code is neither an -identity provider (because @var{why-not-identity-provider}) nor a -webid (because @var{why-not-webid}). -@end deftp - -@deftp {exception type} &token-request-failed @var{cause} -The token request failed on the server. -@end deftp - -@deftp {exception type} &profile-not-found @var{webid} @var{iss} @var{dir} -The @var{webid}, as certified by @var{iss}, cannot be refreshed -because we don’t have a refresh token stored in @var{dir}. -@end deftp - -@node Server-side errors -@section Server-side errors -The resource server implementation may encounter some more exceptional -conditions. - -@deftp {exception type} &path-not-found @var{path} -There is no registered resource at @var{path}. -@end deftp - -@deftp {exception type} &auxiliary-resource-absent @var{path} @var{kind} -The auxiliary resource of given @var{kind} is not instanciated on the -server for the base resource @var{path}. -@end deftp - -@deftp {exception type} &uri-slash-semantics-error @var{path} @var{expected-path} -While the resource at @var{path} does not exist, the resource at -@var{expected-path} does, and @var{path} and @var{expected-path} -differ only by a trailing slash. This exception may be raised along -with @code{&path-not-found}. - -Beware that even if it is true at the time when the exception is -created, maybe the resource has been created by the time it is -handled. -@end deftp - -@deftp {exception type} &cannot-delete-root -There was a request to delete the root storage, which is an error. -@end deftp - -@deftp {exception type} &container-not-empty @var{path} -There was a request to delete a non-empty container. -@end deftp - -@deftp {exception type} &cannot-fetch-group @var{group-uri} @var{cause} -The access control could not fetch the group @var{group-uri} (with a -known @var{cause}). This warning is continuable every time it is -raised. If the handler returns, then the group will be considered -empty. -@end deftp - -@deftp {exception type} &incorrect-containment-triples @var{path} -The client wanted to create or update a resource, and by that it tried -to change the containment triples at @var{path}. -@end deftp - -@deftp {exception type} &unsupported-media-type @var{content-type} -The client wanted to create a resource with the given -@var{content-type}, but it is not accepted, because @var{content-type} -is not recognized as an RDF content type. -@end deftp - -@deftp {exception type} &path-is-auxiliary @var{path} -The client wanted to create a resource that targets an auxiliary -resource, at @var{path}. -@end deftp - -@deftp {exception type} &forbidden @var{path} @var{user} @var{owner} @var{mode} -The @var{user} wanted to do something under @var{path} requiring -@var{mode}, but it is not the @var{owner} and it is forbidden by WAC. -@end deftp - -@deftp {exception type} &precondition-failed @var{path} @var{if-match} @var{if-none-match} @var{real-etag} -The resource under @var{path} has a @var{real-etag} that does not -match the request headers @var{if-match} and @var{if-none-match}. - -If the resource does not exist, @var{real-etag} is set to -@code{#f}. In this case, an exception of type @code{&path-not-found} -is also thrown. -@end deftp - -@deftp {exception type} ¬-acceptable @var{client-accepts} @var{path} @var{content-type} -The client wanted a response with a specific set of -@var{client-accept}ed content-types, but the real @var{content-type} -of the resource under @var{path} cannot be converted to one of them. -@end deftp -@node GNU Free Documentation License -@appendix GNU Free Documentation License - -@include fdl.texi - -@node Index -@unnumbered Index - -@printindex cp - -@bye diff --git a/get-release b/get-release index 57d952d..6987b1f 100755 --- a/get-release +++ b/get-release @@ -1,6 +1,6 @@ #!/bin/sh -# webid-oidc, implementation of the Solid specification +# disfluid, implementation of the Solid specification # Copyright (C) 2021 Vivien Kraus # This program is free software: you can redistribute it and/or modify diff --git a/get-version b/get-version index 4a80cdf..a863ceb 100755 --- a/get-version +++ b/get-version @@ -1,6 +1,6 @@ #!/bin/sh -# webid-oidc, implementation of the Solid specification +# disfluid, implementation of the Solid specification # Copyright (C) 2020, 2021 Vivien Kraus # This program is free software: you can redistribute it and/or modify diff --git a/guix/vkraus/packages/disfluid.scm b/guix/vkraus/packages/disfluid.scm new file mode 100644 index 0000000..f372315 --- /dev/null +++ b/guix/vkraus/packages/disfluid.scm @@ -0,0 +1,207 @@ +;; disfluid, implementation of the Solid specification +;; Copyright (C) 2020, 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see . + +(define-module (vkraus packages disfluid) + #:use-module (guix packages) + #:use-module (guix gexp) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix download) + #:use-module (guix git-download) + #:use-module (guix build-system gnu) + #:use-module (gnu packages) + #:use-module (gnu packages base) + #:use-module (gnu packages guile) + #:use-module (gnu packages guile-xyz) + #:use-module (gnu packages nettle) + #:use-module (gnu packages pkg-config) + #:use-module (gnu packages texinfo) + #:use-module (gnu packages autotools) + #:use-module (gnu packages gettext) + #:use-module (gnu packages man) + #:use-module (gnu packages tls)) + +(define-public disfluid-snapshot + (package + (name "disfluid-snapshot") + (version "SNAPSHOT") + (source "./disfluid-SNAPSHOT.tar.gz") + (build-system gnu-build-system) + (arguments + '(#:modules ((guix build utils) + (guix build gnu-build-system) + (ice-9 rdelim) + (ice-9 popen)) + #:phases + (modify-phases + %standard-phases + (add-after + 'install 'wrap-program + (lambda* (#:key native-inputs inputs outputs #:allow-other-keys) + (define (remove-duplicates list) + (define (aux selected seen-table rest) + (if (null? rest) + (reverse selected) + (let ((next (car rest)) + (rest (cdr rest))) + (if (hash-ref seen-table next #f) + (aux selected seen-table rest) + (begin + (hash-set! seen-table next #t) + (aux (cons next selected) seen-table rest)))))) + (aux '() (make-hash-table (length list)) list)) + (let* ((out (assoc-ref outputs "out")) + (the-guile (assoc-ref (or native-inputs inputs) "guile")) + (the-guile-exec (format #f "~a/bin/guile" the-guile)) + (effective-version + (read-line + (open-pipe* OPEN_READ + the-guile-exec + "-c" + "(display (effective-version))"))) + (guile-propagated-inputs + (remove-duplicates + (cons out + (map cdr inputs)))) + (mod-paths + (filter + file-exists? + (map (lambda (prop-input) + (format #f "~a/share/guile/site/~a" + prop-input effective-version)) + guile-propagated-inputs))) + (go-paths + (filter + file-exists? + (map (lambda (prop-input) + (format #f "~a/lib/guile/~a/site-ccache" + prop-input effective-version)) + guile-propagated-inputs)))) + (wrap-program + (format #f "~a/bin/disfluid" out) + `("GUILE_LOAD_PATH" ":" = ,mod-paths) + `("GUILE_LOAD_COMPILED_PATH" ":" = ,go-paths)) + (symlink (format #f "~a/bin/disfluid" out) + (format #f "~a/bin/webid-oidc" out)) + (for-each + (lambda (program) + (wrap-program + (format #f "~a/bin/disfluid-~a" out program) + `("GUILE_LOAD_PATH" ":" = ,mod-paths) + `("GUILE_LOAD_COMPILED_PATH" ":" = ,go-paths))) + '(example-app hello)))))))) + (native-inputs + `(("pkg-config" ,pkg-config) + ("guile" ,guile-3.0) + ("guile-json" ,guile-json-4) + ("guile-rdf" ,guile-rdf) + ("guile-jsonld" ,guile-jsonld) + ("texinfo" ,texinfo) + ("autoconf" ,autoconf) + ("autoconf-archive" ,autoconf-archive) + ("automake" ,automake) + ("libtool" ,libtool) + ("gettext" ,gnu-gettext) + ("coreutils" ,coreutils) ;; for link (wrap-program) + ("help2man" ,help2man) + ("which" ,which))) + (inputs `(("guile" ,guile-3.0) + ("guile-json" ,guile-json-4) + ("guile-rdf" ,guile-rdf) + ("guile-jsonld" ,guile-rdf) + ("gnutls" ,gnutls) + ("nettle" ,nettle))) + (synopsis "Demanding Interoperability to Strengthen the Free (Libre) Web: Introducing Disfluid") + (description "Demanding Interoperability to Strengthen the Free (Libre) Web: Introducing Disfluid") + (home-page "https://labo.planete-kraus.eu/webid-oidc.git") + (license license:agpl3+) + (native-search-paths + (list (search-path-specification + (variable "LTDL_LIBRARY_PATH") + (files '("lib"))))))) + +(define-public (disfluid-release version release-date commit hash) + (package + (inherit disfluid-snapshot) + (name "disfluid") + (version version) + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://labo.planete-kraus.eu/webid-oidc.git") + (commit commit))) + (sha256 (base32 hash)) + (snippet + `(begin + (with-output-to-file ".tarball-version" + (lambda _ (format #t "~a~%" ,version))) + (with-output-to-file ".tarball-release-date" + (lambda _ (format #t "~a~%" ,release-date))) + #t)))))) + +(define-public (disfluid-htmlize disfluid) + (package + (inherit disfluid) + (name "disfluid-html") + (arguments + '(#:modules ((guix build utils) + (guix build gnu-build-system) + (ice-9 textual-ports)) + #:phases + (modify-phases + %standard-phases + (add-after + 'build 'build-html + (lambda* (#:key make-flags parallel-build? #:allow-other-keys) + (apply invoke "make" "html" + `(,@(if parallel-build? + `("-j" ,(number->string (parallel-job-count))) + '()) + ,@make-flags)))) + (add-after + 'build-html 'complete-corresponding-source + (lambda* (#:key make-flags parallel-build? #:allow-other-keys) + (apply invoke "make" "dist" + `(,@(if parallel-build? + `("-j" ,(number->string (parallel-job-count))) + '()) + ,@make-flags)))) + (replace + 'install + (lambda* (#:key make-flags parallel-build? outputs #:allow-other-keys) + (apply invoke "make" "install-html" + `(,@(if parallel-build? + `("-j" ,(number->string (parallel-job-count))) + '()) + ,@make-flags)) + (let ((version + (car + (string-split + (call-with-input-file ".tarball-version" + get-string-all) + #\newline)))) + (copy-file (string-append + "disfluid-" version ".tar.gz") + (string-append + (assoc-ref outputs "out") + "/share/doc/disfluid/disfluid.html/complete-corresponding-source.tar.gz")))))))) + (synopsis "HTML documentation for Disfluid") + (description "The manual for disfluid is provided as a texinfo +file, which is exported to HTML. Also include the complete +corresponding source, as an AGPL requirement."))) + +(define-public (make-website disfluid) + (file-append (disfluid-htmlize disfluid) "/share/doc/disfluid/disfluid.html")) diff --git a/guix/vkraus/packages/webid-oidc.scm b/guix/vkraus/packages/webid-oidc.scm deleted file mode 100644 index 223438b..0000000 --- a/guix/vkraus/packages/webid-oidc.scm +++ /dev/null @@ -1,205 +0,0 @@ -;; webid-oidc, implementation of the Solid specification -;; Copyright (C) 2020, 2021 Vivien Kraus - -;; This program is free software: you can redistribute it and/or modify -;; it under the terms of the GNU Affero General Public License as -;; published by the Free Software Foundation, either version 3 of the -;; License, or (at your option) any later version. - -;; This program is distributed in the hope that it will be useful, -;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;; GNU Affero General Public License for more details. - -;; You should have received a copy of the GNU Affero General Public License -;; along with this program. If not, see . - -(define-module (vkraus packages webid-oidc) - #:use-module (guix packages) - #:use-module (guix gexp) - #:use-module ((guix licenses) #:prefix license:) - #:use-module (guix download) - #:use-module (guix git-download) - #:use-module (guix build-system gnu) - #:use-module (gnu packages) - #:use-module (gnu packages base) - #:use-module (gnu packages guile) - #:use-module (gnu packages guile-xyz) - #:use-module (gnu packages nettle) - #:use-module (gnu packages pkg-config) - #:use-module (gnu packages texinfo) - #:use-module (gnu packages autotools) - #:use-module (gnu packages gettext) - #:use-module (gnu packages man) - #:use-module (gnu packages tls)) - -(define-public webid-oidc-snapshot - (package - (name "webid-oidc-snapshot") - (version "SNAPSHOT") - (source "./webid-oidc-SNAPSHOT.tar.gz") - (build-system gnu-build-system) - (arguments - '(#:modules ((guix build utils) - (guix build gnu-build-system) - (ice-9 rdelim) - (ice-9 popen)) - #:phases - (modify-phases - %standard-phases - (add-after - 'install 'wrap-program - (lambda* (#:key native-inputs inputs outputs #:allow-other-keys) - (define (remove-duplicates list) - (define (aux selected seen-table rest) - (if (null? rest) - (reverse selected) - (let ((next (car rest)) - (rest (cdr rest))) - (if (hash-ref seen-table next #f) - (aux selected seen-table rest) - (begin - (hash-set! seen-table next #t) - (aux (cons next selected) seen-table rest)))))) - (aux '() (make-hash-table (length list)) list)) - (let* ((out (assoc-ref outputs "out")) - (the-guile (assoc-ref (or native-inputs inputs) "guile")) - (the-guile-exec (format #f "~a/bin/guile" the-guile)) - (effective-version - (read-line - (open-pipe* OPEN_READ - the-guile-exec - "-c" - "(display (effective-version))"))) - (guile-propagated-inputs - (remove-duplicates - (cons out - (map cdr inputs)))) - (mod-paths - (filter - file-exists? - (map (lambda (prop-input) - (format #f "~a/share/guile/site/~a" - prop-input effective-version)) - guile-propagated-inputs))) - (go-paths - (filter - file-exists? - (map (lambda (prop-input) - (format #f "~a/lib/guile/~a/site-ccache" - prop-input effective-version)) - guile-propagated-inputs)))) - (wrap-program - (format #f "~a/bin/webid-oidc" out) - `("GUILE_LOAD_PATH" ":" = ,mod-paths) - `("GUILE_LOAD_COMPILED_PATH" ":" = ,go-paths)) - (for-each - (lambda (program) - (wrap-program - (format #f "~a/bin/webid-oidc-~a" out program) - `("GUILE_LOAD_PATH" ":" = ,mod-paths) - `("GUILE_LOAD_COMPILED_PATH" ":" = ,go-paths))) - '(example-app hello)))))))) - (native-inputs - `(("pkg-config" ,pkg-config) - ("guile" ,guile-3.0) - ("guile-json" ,guile-json-4) - ("guile-rdf" ,guile-rdf) - ("guile-jsonld" ,guile-jsonld) - ("texinfo" ,texinfo) - ("autoconf" ,autoconf) - ("autoconf-archive" ,autoconf-archive) - ("automake" ,automake) - ("libtool" ,libtool) - ("gettext" ,gnu-gettext) - ("coreutils" ,coreutils) ;; for link (wrap-program) - ("help2man" ,help2man) - ("which" ,which))) - (inputs `(("guile" ,guile-3.0) - ("guile-json" ,guile-json-4) - ("guile-rdf" ,guile-rdf) - ("guile-jsonld" ,guile-rdf) - ("gnutls" ,gnutls) - ("nettle" ,nettle))) - (synopsis "") - (description "") - (home-page "https://labo.planete-kraus.eu/webid-oidc.git") - (license license:agpl3+) - (native-search-paths - (list (search-path-specification - (variable "LTDL_LIBRARY_PATH") - (files '("lib"))))))) - -(define-public (webid-oidc-release version release-date commit hash) - (package - (inherit webid-oidc-snapshot) - (name "webid-oidc") - (version version) - (source - (origin - (method git-fetch) - (uri (git-reference - (url "https://labo.planete-kraus.eu/webid-oidc.git") - (commit commit))) - (sha256 (base32 hash)) - (snippet - `(begin - (with-output-to-file ".tarball-version" - (lambda _ (format #t "~a~%" ,version))) - (with-output-to-file ".tarball-release-date" - (lambda _ (format #t "~a~%" ,release-date))) - #t)))))) - -(define-public (webid-oidc-htmlize webid-oidc) - (package - (inherit webid-oidc) - (name "webid-oidc-html") - (arguments - '(#:modules ((guix build utils) - (guix build gnu-build-system) - (ice-9 textual-ports)) - #:phases - (modify-phases - %standard-phases - (add-after - 'build 'build-html - (lambda* (#:key make-flags parallel-build? #:allow-other-keys) - (apply invoke "make" "html" - `(,@(if parallel-build? - `("-j" ,(number->string (parallel-job-count))) - '()) - ,@make-flags)))) - (add-after - 'build-html 'complete-corresponding-source - (lambda* (#:key make-flags parallel-build? #:allow-other-keys) - (apply invoke "make" "dist" - `(,@(if parallel-build? - `("-j" ,(number->string (parallel-job-count))) - '()) - ,@make-flags)))) - (replace - 'install - (lambda* (#:key make-flags parallel-build? outputs #:allow-other-keys) - (apply invoke "make" "install-html" - `(,@(if parallel-build? - `("-j" ,(number->string (parallel-job-count))) - '()) - ,@make-flags)) - (let ((version - (car - (string-split - (call-with-input-file ".tarball-version" - get-string-all) - #\newline)))) - (copy-file (string-append - "webid-oidc-" version ".tar.gz") - (string-append - (assoc-ref outputs "out") - "/share/doc/webid-oidc/webid-oidc.html/complete-corresponding-source.tar.gz")))))))) - (synopsis "HTML documentation for webid-oidc") - (description "The manual for webid-oidc is provided as a texinfo -file, which is exported to HTML. Also include the complete -corresponding source, as an AGPL requirement."))) - -(define-public (make-website webid-oidc) - (file-append (webid-oidc-htmlize webid-oidc) "/share/doc/webid-oidc/webid-oidc.html")) diff --git a/guix/vkraus/services/disfluid.scm b/guix/vkraus/services/disfluid.scm new file mode 100644 index 0000000..ba2e976 --- /dev/null +++ b/guix/vkraus/services/disfluid.scm @@ -0,0 +1,520 @@ +;; disfluid, implementation of the Solid specification +;; Copyright (C) 2020, 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see . + +(define-module (vkraus services disfluid) + #:use-module (gnu services) + #:use-module (gnu services shepherd) + #:use-module (gnu services admin) + #:use-module (gnu services web) + #:use-module (gnu system shadow) + #:use-module (gnu packages admin) + #:use-module (vkraus packages disfluid) + #:use-module (guix gexp) + #:use-module (guix modules) + #:use-module (guix records) + #:use-module (ice-9 match) + #:use-module (ice-9 optargs)) + +(define-record-type* + disfluid-issuer-configuration + make-disfluid-issuer-configuration + disfluid-issuer-configuration? + (disfluid disfluid-issuer-configuration-disfluid + (default disfluid)) + (complete-corresponding-source + disfluid-issuer-configuration-complete-corresponding-source) + (issuer disfluid-issuer-configuration-issuer) + (key-file disfluid-issuer-configuration-key-file + (default "/var/lib/disfluid/issuer/key.jwk")) + (subject disfluid-issuer-configuration-subject) + (encrypted-password disfluid-issuer-configuration-encrypted-password) + (jwks-uri disfluid-issuer-configuration-jwks-uri) + (authorization-endpoint-uri + disfluid-issuer-configuration-authorization-endpoint-uri) + (token-endpoint-uri + disfluid-issuer-configuration-token-endpoint-uri) + (port disfluid-issuer-configuration-port (default 8088)) + (extra-options + disfluid-issuer-configuration-extra-options + (default '()))) + +(define-record-type* + disfluid-reverse-proxy-configuration + make-disfluid-reverse-proxy-configuration + disfluid-reverse-proxy-configuration? + (disfluid disfluid-reverse-proxy-configuration-disfluid + (default disfluid)) + (complete-corresponding-source + disfluid-reverse-proxy-configuration-complete-corresponding-source) + (port disfluid-reverse-proxy-port (default 8090)) + (inbound-uri disfluid-reverse-proxy-configuration-inbound-uri) + (outbound-uri disfluid-reverse-proxy-configuration-outbound-uri) + (header disfluid-reverse-proxy-configuration-header + (default "XXX-Agent")) + (extra-options + disfluid-reverse-proxy-extra-options + (default '()))) + +(define-record-type* + disfluid-hello-configuration + make-disfluid-hello-configuration + disfluid-hello-configuration? + (disfluid disfluid-hello-configuration-disfluid + (default disfluid)) + (complete-corresponding-source + disfluid-hello-configuration-complete-corresponding-source) + (port disfluid-hello-configuration-port (default 8089)) + (extra-options + disfluid-hello-configuration-extra-options + (default '()))) + +(define-record-type* + disfluid-client-service-configuration + make-disfluid-client-service-configuration + disfluid-client-service-configuration? + (disfluid disfluid-client-service-configuration-disfluid + (default disfluid)) + (complete-corresponding-source + disfluid-client-service-configuration-complete-corresponding-source) + (client-id disfluid-client-service-configuration-client-id) + (redirect-uri disfluid-client-service-configuration-redirect-uri) + (client-name disfluid-client-service-configuration-client-name (default "Example Solid App")) + (client-uri disfluid-client-service-configuration-client-uri (default "https://webid-oidc.planete-kraus.eu/Running-a-client.html#Running-a-client")) + (port disfluid-client-service-configuration-port (default 8088)) + (extra-options + disfluid-client-service-configuration-extra-options + (default '()))) + +(define-record-type* + disfluid-server-configuration + make-disfluid-server-configuration + disfluid-server-configuration? + (disfluid disfluid-server-configuration-disfluid + (default disfluid)) + (complete-corresponding-source + disfluid-server-configuration-complete-corresponding-source) + (server-name disfluid-server-configuration-server-name) + (key-file disfluid-server-configuration-key-file + (default "/var/lib/disfluid/server/key.jwk")) + (subject disfluid-server-configuration-subject) + (encrypted-password disfluid-server-configuration-encrypted-password) + (jwks-uri disfluid-server-configuration-jwks-uri) + (authorization-endpoint-uri + disfluid-server-configuration-authorization-endpoint-uri) + (token-endpoint-uri + disfluid-server-configuration-token-endpoint-uri) + (port disfluid-server-configuration-port (default 8088)) + (extra-options + disfluid-issuer-configuration-extra-options + (default '()))) + +(export + disfluid-issuer-configuration + make-disfluid-issuer-configuration + disfluid-issuer-configuration? + disfluid-issuer-configuration-disfluid + disfluid-issuer-configuration-complete-corresponding-source + disfluid-issuer-configuration-issuer + disfluid-issuer-configuration-key-file + disfluid-issuer-configuration-subject + disfluid-issuer-configuration-encrypted-password + disfluid-issuer-configuration-jwks-uri + disfluid-issuer-configuration-authorization-endpoint-uri + disfluid-issuer-configuration-token-endpoint-uri + disfluid-issuer-configuration-port + disfluid-issuer-configuration-extra-options + + disfluid-reverse-proxy-configuration + make-disfluid-reverse-proxy-configuration + disfluid-reverse-proxy-configuration? + disfluid-reverse-proxy-configuration-disfluid + disfluid-reverse-proxy-configuration-complete-corresponding-source + disfluid-reverse-proxy-configuration-port + disfluid-reverse-proxy-configuration-inbound-uri + disfluid-reverse-proxy-configuration-outbound-uri + disfluid-reverse-proxy-configuration-header + disfluid-reverse-proxy-configuration-extra-options + + disfluid-hello-configuration + make-disfluid-hello-configuration + disfluid-hello-configuration? + disfluid-hello-configuration-disfluid + disfluid-hello-configuration-complete-corresponding-source + disfluid-hello-configuration-port + disfluid-hello-configuration-extra-options + + disfluid-client-service-configuration + make-disfluid-client-service-configuration + disfluid-client-service-configuration? + disfluid-client-service-configuration-disfluid + disfluid-client-service-configuration-complete-corresponding-source + disfluid-client-service-configuration-client-id + disfluid-client-service-configuration-redirect-uri + disfluid-client-service-configuration-client-name + disfluid-client-service-configuration-client-uri + disfluid-client-service-configuration-port + disfluid-client-service-configuration-extra-options + + disfluid-server-configuration + make-disfluid-server-configuration + disfluid-server-configuration? + disfluid-server-configuration-disfluid + disfluid-server-configuration-complete-corresponding-source + disfluid-server-configuration-server-name + disfluid-server-configuration-key-file + disfluid-server-configuration-subject + disfluid-server-configuration-encrypted-password + disfluid-server-configuration-jwks-uri + disfluid-server-configuration-authorization-endpoint-uri + disfluid-server-configuration-token-endpoint-uri + disfluid-server-configuration-port + disfluid-server-configuration-extra-options) + +(define disfluid-issuer-shepherd-service + (match-lambda + (($ + disfluid ccs issuer key-file subject encrypted-password jwks-uri + authorization-endpoint-uri token-endpoint-uri port + extra-options) + (with-imported-modules + (source-module-closure + '((gnu build shepherd) + (gnu system file-systems))) + (list (shepherd-service + (provision '(disfluid-issuer)) + (documentation "Run the Solid identity provider.") + (requirement '(user-processes)) + (modules '((gnu build shepherd) + (gnu system file-systems))) + (start + #~(begin + (let* ((user (getpwnam "disfluid")) + (prepare-directory + (lambda (dir) + (mkdir-p dir) + (chown dir (passwd:uid user) (passwd:gid user)) + (chmod dir #o700)))) + (prepare-directory "/var/log/disfluid") + (prepare-directory "/var/lib/disfluid") + (prepare-directory "/var/cache/disfluid")) + (make-forkexec-constructor + (list + (string-append #$disfluid "/bin/disfluid") + "identity-provider" + "--complete-corresponding-source" #$ccs + "--server-name" #$issuer + "--key-file" #$key-file + "--subject" #$subject + "--encrypted-password" #$encrypted-password + "--jwks-uri" #$jwks-uri + "--authorization-endpoint-uri" #$authorization-endpoint-uri + "--token-endpoint-uri" #$token-endpoint-uri + "--port" (with-output-to-string (lambda () (display #$port))) + "--log-file" "issuer.log" + "--error-file" "issuer.err" + #$@extra-options) + #:user "disfluid" + #:group "disfluid" + #:directory "/var/log/disfluid" + #:environment-variables + `("XDG_DATA_HOME=/var/lib" + "XDG_CACHE_HOME=/var/cache" + "LANG=C")))) + (stop #~(make-kill-destructor)))))))) + +(define disfluid-reverse-proxy-shepherd-service + (match-lambda + (($ + disfluid ccs port inbound-uri outbound-uri header + extra-options) + (with-imported-modules + (source-module-closure + '((gnu build shepherd) + (gnu system file-systems))) + (list (shepherd-service + (provision '(disfluid-reverse-proxy)) + (documentation "Run a proxy to authenticate with Solid.") + (requirement '(user-processes)) + (modules '((gnu build shepherd) + (gnu system file-systems))) + (start + #~(begin + (let* ((user (getpwnam "disfluid")) + (prepare-directory + (lambda (dir) + (mkdir-p dir) + (chown dir (passwd:uid user) (passwd:gid user)) + (chmod dir #o700)))) + (prepare-directory "/var/log/disfluid") + (prepare-directory "/var/lib/disfluid") + (prepare-directory "/var/cache/disfluid")) + (make-forkexec-constructor + (list + (string-append #$disfluid "/bin/disfluid") + "reverse-proxy" + "--complete-corresponding-source" #$ccs + "--port" (with-output-to-string (lambda () (display #$port))) + "--server-name" #$inbound-uri + "--backend-uri" #$outbound-uri + "--header" #$header + "--log-file" "reverse-proxy.log" + "--error-file" "reverse-proxy.err" + #$@extra-options) + #:user "disfluid" + #:group "disfluid" + #:directory "/var/log/disfluid" + #:environment-variables + `("XDG_DATA_HOME=/var/lib" + "XDG_CACHE_HOME=/var/cache" + "LANG=C")))) + (stop #~(make-kill-destructor)))))))) + +(define disfluid-hello-shepherd-service + (match-lambda + (($ + disfluid ccs port extra-options) + (with-imported-modules + (source-module-closure + '((gnu build shepherd) + (gnu system file-systems))) + (list (shepherd-service + (provision '(disfluid-hello)) + (documentation "Run a demonstration Solid server.") + (requirement '(user-processes)) + (modules '((gnu build shepherd) + (gnu system file-systems))) + (start + #~(begin + (let* ((user (getpwnam "disfluid")) + (prepare-directory + (lambda (dir) + (mkdir-p dir) + (chown dir (passwd:uid user) (passwd:gid user)) + (chmod dir #o700)))) + (prepare-directory "/var/log/disfluid") + (prepare-directory "/var/lib/disfluid") + (prepare-directory "/var/cache/disfluid")) + (make-forkexec-constructor + (list + (string-append #$disfluid "/bin/disfluid-hello") + "--complete-corresponding-source" #$ccs + "--port" (with-output-to-string (lambda () (display #$port))) + "--log-file" "hello.log" + "--error-file" "hello.err" + #$@extra-options) + #:user "disfluid" + #:group "disfluid" + #:directory "/var/log/disfluid" + #:environment-variables + `("XDG_DATA_HOME=/var/lib" + "XDG_CACHE_HOME=/var/cache" + "LANG=C")))) + (stop #~(make-kill-destructor)))))))) + +(define disfluid-client-service-shepherd-service + (match-lambda + (($ + disfluid ccs client-id redirect-uri client-name client-uri port + extra-options) + (with-imported-modules + (source-module-closure + '((gnu build shepherd) + (gnu system file-systems))) + (list (shepherd-service + (provision '(disfluid-client-service)) + (documentation "Run a server for a Solid application.") + (requirement '(user-processes)) + (modules '((gnu build shepherd) + (gnu system file-systems))) + (start + #~(begin + (let* ((user (getpwnam "disfluid")) + (prepare-directory + (lambda (dir) + (mkdir-p dir) + (chown dir (passwd:uid user) (passwd:gid user)) + (chmod dir #o700)))) + (prepare-directory "/var/log/disfluid")) + (make-forkexec-constructor + (list + (string-append #$disfluid "/bin/disfluid") + "client-service" + "--complete-corresponding-source" #$ccs + "--client-id" #$client-id + "--redirect-uri" #$redirect-uri + "--client-name" #$client-name + "--client-uri" #$client-uri + "--port" (with-output-to-string (lambda () (display #$port))) + "--log-file" "client-service.log" + "--error-file" "client-service.err" + #$@extra-options) + #:user "disfluid" + #:group "disfluid" + #:directory "/var/log/disfluid" + #:environment-variables + `("LANG=C")))) + (stop #~(make-kill-destructor)))))))) + +(define disfluid-server-shepherd-service + (match-lambda + (($ + disfluid ccs server-name key-file subject encrypted-password jwks-uri + authorization-endpoint-uri token-endpoint-uri port + extra-options) + (with-imported-modules + (source-module-closure + '((gnu build shepherd) + (gnu system file-systems))) + (list (shepherd-service + (provision '(disfluid-server)) + (documentation "Run the full Solid server.") + (requirement '(user-processes)) + (modules '((gnu build shepherd) + (gnu system file-systems))) + (start + #~(begin + (let* ((user (getpwnam "disfluid")) + (prepare-directory + (lambda (dir) + (mkdir-p dir) + (chown dir (passwd:uid user) (passwd:gid user)) + (chmod dir #o700)))) + (prepare-directory "/var/log/disfluid") + (prepare-directory "/var/lib/disfluid") + (prepare-directory "/var/cache/disfluid")) + (make-forkexec-constructor + (list + (string-append #$disfluid "/bin/disfluid") + "server" + "--complete-corresponding-source" #$ccs + "--server-name" #$server-name + "--key-file" #$key-file + "--subject" #$subject + "--encrypted-password" #$encrypted-password + "--jwks-uri" #$jwks-uri + "--authorization-endpoint-uri" #$authorization-endpoint-uri + "--token-endpoint-uri" #$token-endpoint-uri + "--port" (with-output-to-string (lambda () (display #$port))) + "--log-file" "server.log" + "--error-file" "server.err" + #$@extra-options) + #:user "disfluid" + #:group "disfluid" + #:directory "/var/log/disfluid" + #:environment-variables + `("XDG_DATA_HOME=/var/lib" + "XDG_CACHE_HOME=/var/cache" + "LANG=C")))) + (stop #~(make-kill-destructor)))))))) + +(define %disfluid-accounts + (list (user-group (name "disfluid") + (system? #t)) + (user-account + (name "disfluid") + (group "disfluid") + (system? #t) + (comment "The user that runs the disfluid issuer and resource server.") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin"))))) + +(define (%disfluid-log-rotation file) + (list (log-rotation + (frequency 'daily) + (files + (map (lambda (ext) (string-append "/var/log/disfluid/" file "." ext)) + '("log" "err"))) + (options '("sharedscripts" + "storedir /var/log/disfluid"))))) + +(define-public disfluid-issuer-service-type + (service-type + (name 'disfluid-issuer) + (extensions + (list + (service-extension account-service-type + (const %disfluid-accounts)) + (service-extension rottlog-service-type + (const (%disfluid-log-rotation "issuer"))) + (service-extension + shepherd-root-service-type + disfluid-issuer-shepherd-service))))) + +(define-public disfluid-reverse-proxy-service-type + (service-type + (name 'disfluid-reverse-proxy) + (extensions + (list + (service-extension account-service-type + (const %disfluid-accounts)) + (service-extension rottlog-service-type + (const (%disfluid-log-rotation "reverse-proxy"))) + (service-extension + shepherd-root-service-type + disfluid-reverse-proxy-shepherd-service))))) + +(define-public disfluid-hello-service-type + (service-type + (name 'disfluid-hello) + (extensions + (list + (service-extension account-service-type + (const %disfluid-accounts)) + (service-extension rottlog-service-type + (const (%disfluid-log-rotation "hello"))) + (service-extension + shepherd-root-service-type + disfluid-hello-shepherd-service))))) + +(define-public disfluid-client-service-service-type + (service-type + (name 'disfluid-client-service) + (extensions + (list + (service-extension account-service-type + (const %disfluid-accounts)) + (service-extension rottlog-service-type + (const (%disfluid-log-rotation "client-service"))) + (service-extension + shepherd-root-service-type + disfluid-client-service-shepherd-service))))) + +(define-public disfluid-server-service-type + (service-type + (name 'disfluid-server) + (extensions + (list + (service-extension account-service-type + (const %disfluid-accounts)) + (service-extension rottlog-service-type + (const (%disfluid-log-rotation "server"))) + (service-extension + shepherd-root-service-type + disfluid-server-shepherd-service))))) + +(define-public disfluid-website + (nginx-server-configuration + (server-name '("disfluid.planete-kraus.eu" "webid-oidc.planete-kraus.eu")) + (listen '("443 ssl" "[::]:443 ssl")) + (ssl-certificate "/etc/letsencrypt/live/planete-kraus.eu/fullchain.pem") + (ssl-certificate-key "/etc/letsencrypt/live/planete-kraus.eu/privkey.pem") + (root disfluid:website) + (locations + (list + (nginx-location-configuration + (uri "/project") + (body + (list "default_type text/turtle ;"))))))) diff --git a/guix/vkraus/services/webid-oidc.scm b/guix/vkraus/services/webid-oidc.scm deleted file mode 100644 index c20c550..0000000 --- a/guix/vkraus/services/webid-oidc.scm +++ /dev/null @@ -1,520 +0,0 @@ -;; webid-oidc, implementation of the Solid specification -;; Copyright (C) 2020, 2021 Vivien Kraus - -;; This program is free software: you can redistribute it and/or modify -;; it under the terms of the GNU Affero General Public License as -;; published by the Free Software Foundation, either version 3 of the -;; License, or (at your option) any later version. - -;; This program is distributed in the hope that it will be useful, -;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;; GNU Affero General Public License for more details. - -;; You should have received a copy of the GNU Affero General Public License -;; along with this program. If not, see . - -(define-module (vkraus services webid-oidc) - #:use-module (gnu services) - #:use-module (gnu services shepherd) - #:use-module (gnu services admin) - #:use-module (gnu services web) - #:use-module (gnu system shadow) - #:use-module (gnu packages admin) - #:use-module (vkraus packages webid-oidc) - #:use-module (guix gexp) - #:use-module (guix modules) - #:use-module (guix records) - #:use-module (ice-9 match) - #:use-module (ice-9 optargs)) - -(define-record-type* - webid-oidc-issuer-configuration - make-webid-oidc-issuer-configuration - webid-oidc-issuer-configuration? - (webid-oidc webid-oidc-issuer-configuration-webid-oidc - (default webid-oidc)) - (complete-corresponding-source - webid-oidc-issuer-configuration-complete-corresponding-source) - (issuer webid-oidc-issuer-configuration-issuer) - (key-file webid-oidc-issuer-configuration-key-file - (default "/var/lib/webid-oidc/issuer/key.jwk")) - (subject webid-oidc-issuer-configuration-subject) - (encrypted-password webid-oidc-issuer-configuration-encrypted-password) - (jwks-uri webid-oidc-issuer-configuration-jwks-uri) - (authorization-endpoint-uri - webid-oidc-issuer-configuration-authorization-endpoint-uri) - (token-endpoint-uri - webid-oidc-issuer-configuration-token-endpoint-uri) - (port webid-oidc-issuer-configuration-port (default 8088)) - (extra-options - webid-oidc-issuer-configuration-extra-options - (default '()))) - -(define-record-type* - webid-oidc-reverse-proxy-configuration - make-webid-oidc-reverse-proxy-configuration - webid-oidc-reverse-proxy-configuration? - (webid-oidc webid-oidc-reverse-proxy-configuration-webid-oidc - (default webid-oidc)) - (complete-corresponding-source - webid-oidc-reverse-proxy-configuration-complete-corresponding-source) - (port webid-oidc-reverse-proxy-port (default 8090)) - (inbound-uri webid-oidc-reverse-proxy-configuration-inbound-uri) - (outbound-uri webid-oidc-reverse-proxy-configuration-outbound-uri) - (header webid-oidc-reverse-proxy-configuration-header - (default "XXX-Agent")) - (extra-options - webid-oidc-reverse-proxy-extra-options - (default '()))) - -(define-record-type* - webid-oidc-hello-configuration - make-webid-oidc-hello-configuration - webid-oidc-hello-configuration? - (webid-oidc webid-oidc-hello-configuration-webid-oidc - (default webid-oidc)) - (complete-corresponding-source - webid-oidc-hello-configuration-complete-corresponding-source) - (port webid-oidc-hello-configuration-port (default 8089)) - (extra-options - webid-oidc-hello-configuration-extra-options - (default '()))) - -(define-record-type* - webid-oidc-client-service-configuration - make-webid-oidc-client-service-configuration - webid-oidc-client-service-configuration? - (webid-oidc webid-oidc-client-service-configuration-webid-oidc - (default webid-oidc)) - (complete-corresponding-source - webid-oidc-client-service-configuration-complete-corresponding-source) - (client-id webid-oidc-client-service-configuration-client-id) - (redirect-uri webid-oidc-client-service-configuration-redirect-uri) - (client-name webid-oidc-client-service-configuration-client-name (default "Example Solid App")) - (client-uri webid-oidc-client-service-configuration-client-uri (default "https://webid-oidc.planete-kraus.eu/Running-a-client.html#Running-a-client")) - (port webid-oidc-client-service-configuration-port (default 8088)) - (extra-options - webid-oidc-client-service-configuration-extra-options - (default '()))) - -(define-record-type* - webid-oidc-server-configuration - make-webid-oidc-server-configuration - webid-oidc-server-configuration? - (webid-oidc webid-oidc-server-configuration-webid-oidc - (default webid-oidc)) - (complete-corresponding-source - webid-oidc-server-configuration-complete-corresponding-source) - (server-name webid-oidc-server-configuration-server-name) - (key-file webid-oidc-server-configuration-key-file - (default "/var/lib/webid-oidc/server/key.jwk")) - (subject webid-oidc-server-configuration-subject) - (encrypted-password webid-oidc-server-configuration-encrypted-password) - (jwks-uri webid-oidc-server-configuration-jwks-uri) - (authorization-endpoint-uri - webid-oidc-server-configuration-authorization-endpoint-uri) - (token-endpoint-uri - webid-oidc-server-configuration-token-endpoint-uri) - (port webid-oidc-server-configuration-port (default 8088)) - (extra-options - webid-oidc-issuer-configuration-extra-options - (default '()))) - -(export - webid-oidc-issuer-configuration - make-webid-oidc-issuer-configuration - webid-oidc-issuer-configuration? - webid-oidc-issuer-configuration-webid-oidc - webid-oidc-issuer-configuration-complete-corresponding-source - webid-oidc-issuer-configuration-issuer - webid-oidc-issuer-configuration-key-file - webid-oidc-issuer-configuration-subject - webid-oidc-issuer-configuration-encrypted-password - webid-oidc-issuer-configuration-jwks-uri - webid-oidc-issuer-configuration-authorization-endpoint-uri - webid-oidc-issuer-configuration-token-endpoint-uri - webid-oidc-issuer-configuration-port - webid-oidc-issuer-configuration-extra-options - - webid-oidc-reverse-proxy-configuration - make-webid-oidc-reverse-proxy-configuration - webid-oidc-reverse-proxy-configuration? - webid-oidc-reverse-proxy-configuration-webid-oidc - webid-oidc-reverse-proxy-configuration-complete-corresponding-source - webid-oidc-reverse-proxy-configuration-port - webid-oidc-reverse-proxy-configuration-inbound-uri - webid-oidc-reverse-proxy-configuration-outbound-uri - webid-oidc-reverse-proxy-configuration-header - webid-oidc-reverse-proxy-configuration-extra-options - - webid-oidc-hello-configuration - make-webid-oidc-hello-configuration - webid-oidc-hello-configuration? - webid-oidc-hello-configuration-webid-oidc - webid-oidc-hello-configuration-complete-corresponding-source - webid-oidc-hello-configuration-port - webid-oidc-hello-configuration-extra-options - - webid-oidc-client-service-configuration - make-webid-oidc-client-service-configuration - webid-oidc-client-service-configuration? - webid-oidc-client-service-configuration-webid-oidc - webid-oidc-client-service-configuration-complete-corresponding-source - webid-oidc-client-service-configuration-client-id - webid-oidc-client-service-configuration-redirect-uri - webid-oidc-client-service-configuration-client-name - webid-oidc-client-service-configuration-client-uri - webid-oidc-client-service-configuration-port - webid-oidc-client-service-configuration-extra-options - - webid-oidc-server-configuration - make-webid-oidc-server-configuration - webid-oidc-server-configuration? - webid-oidc-server-configuration-webid-oidc - webid-oidc-server-configuration-complete-corresponding-source - webid-oidc-server-configuration-server-name - webid-oidc-server-configuration-key-file - webid-oidc-server-configuration-subject - webid-oidc-server-configuration-encrypted-password - webid-oidc-server-configuration-jwks-uri - webid-oidc-server-configuration-authorization-endpoint-uri - webid-oidc-server-configuration-token-endpoint-uri - webid-oidc-server-configuration-port - webid-oidc-server-configuration-extra-options) - -(define webid-oidc-issuer-shepherd-service - (match-lambda - (($ - webid-oidc ccs issuer key-file subject encrypted-password jwks-uri - authorization-endpoint-uri token-endpoint-uri port - extra-options) - (with-imported-modules - (source-module-closure - '((gnu build shepherd) - (gnu system file-systems))) - (list (shepherd-service - (provision '(webid-oidc-issuer)) - (documentation "Run the Solid identity provider.") - (requirement '(user-processes)) - (modules '((gnu build shepherd) - (gnu system file-systems))) - (start - #~(begin - (let* ((user (getpwnam "webid-oidc")) - (prepare-directory - (lambda (dir) - (mkdir-p dir) - (chown dir (passwd:uid user) (passwd:gid user)) - (chmod dir #o700)))) - (prepare-directory "/var/log/webid-oidc") - (prepare-directory "/var/lib/webid-oidc") - (prepare-directory "/var/cache/webid-oidc")) - (make-forkexec-constructor - (list - (string-append #$webid-oidc "/bin/webid-oidc") - "identity-provider" - "--complete-corresponding-source" #$ccs - "--server-name" #$issuer - "--key-file" #$key-file - "--subject" #$subject - "--encrypted-password" #$encrypted-password - "--jwks-uri" #$jwks-uri - "--authorization-endpoint-uri" #$authorization-endpoint-uri - "--token-endpoint-uri" #$token-endpoint-uri - "--port" (with-output-to-string (lambda () (display #$port))) - "--log-file" "issuer.log" - "--error-file" "issuer.err" - #$@extra-options) - #:user "webid-oidc" - #:group "webid-oidc" - #:directory "/var/log/webid-oidc" - #:environment-variables - `("XDG_DATA_HOME=/var/lib" - "XDG_CACHE_HOME=/var/cache" - "LANG=C")))) - (stop #~(make-kill-destructor)))))))) - -(define webid-oidc-reverse-proxy-shepherd-service - (match-lambda - (($ - webid-oidc ccs port inbound-uri outbound-uri header - extra-options) - (with-imported-modules - (source-module-closure - '((gnu build shepherd) - (gnu system file-systems))) - (list (shepherd-service - (provision '(webid-oidc-reverse-proxy)) - (documentation "Run a proxy to authenticate with Solid.") - (requirement '(user-processes)) - (modules '((gnu build shepherd) - (gnu system file-systems))) - (start - #~(begin - (let* ((user (getpwnam "webid-oidc")) - (prepare-directory - (lambda (dir) - (mkdir-p dir) - (chown dir (passwd:uid user) (passwd:gid user)) - (chmod dir #o700)))) - (prepare-directory "/var/log/webid-oidc") - (prepare-directory "/var/lib/webid-oidc") - (prepare-directory "/var/cache/webid-oidc")) - (make-forkexec-constructor - (list - (string-append #$webid-oidc "/bin/webid-oidc") - "reverse-proxy" - "--complete-corresponding-source" #$ccs - "--port" (with-output-to-string (lambda () (display #$port))) - "--server-name" #$inbound-uri - "--backend-uri" #$outbound-uri - "--header" #$header - "--log-file" "reverse-proxy.log" - "--error-file" "reverse-proxy.err" - #$@extra-options) - #:user "webid-oidc" - #:group "webid-oidc" - #:directory "/var/log/webid-oidc" - #:environment-variables - `("XDG_DATA_HOME=/var/lib" - "XDG_CACHE_HOME=/var/cache" - "LANG=C")))) - (stop #~(make-kill-destructor)))))))) - -(define webid-oidc-hello-shepherd-service - (match-lambda - (($ - webid-oidc ccs port extra-options) - (with-imported-modules - (source-module-closure - '((gnu build shepherd) - (gnu system file-systems))) - (list (shepherd-service - (provision '(webid-oidc-hello)) - (documentation "Run a demonstration Solid server.") - (requirement '(user-processes)) - (modules '((gnu build shepherd) - (gnu system file-systems))) - (start - #~(begin - (let* ((user (getpwnam "webid-oidc")) - (prepare-directory - (lambda (dir) - (mkdir-p dir) - (chown dir (passwd:uid user) (passwd:gid user)) - (chmod dir #o700)))) - (prepare-directory "/var/log/webid-oidc") - (prepare-directory "/var/lib/webid-oidc") - (prepare-directory "/var/cache/webid-oidc")) - (make-forkexec-constructor - (list - (string-append #$webid-oidc "/bin/webid-oidc-hello") - "--complete-corresponding-source" #$ccs - "--port" (with-output-to-string (lambda () (display #$port))) - "--log-file" "hello.log" - "--error-file" "hello.err" - #$@extra-options) - #:user "webid-oidc" - #:group "webid-oidc" - #:directory "/var/log/webid-oidc" - #:environment-variables - `("XDG_DATA_HOME=/var/lib" - "XDG_CACHE_HOME=/var/cache" - "LANG=C")))) - (stop #~(make-kill-destructor)))))))) - -(define webid-oidc-client-service-shepherd-service - (match-lambda - (($ - webid-oidc ccs client-id redirect-uri client-name client-uri port - extra-options) - (with-imported-modules - (source-module-closure - '((gnu build shepherd) - (gnu system file-systems))) - (list (shepherd-service - (provision '(webid-oidc-client-service)) - (documentation "Run a server for a Solid application.") - (requirement '(user-processes)) - (modules '((gnu build shepherd) - (gnu system file-systems))) - (start - #~(begin - (let* ((user (getpwnam "webid-oidc")) - (prepare-directory - (lambda (dir) - (mkdir-p dir) - (chown dir (passwd:uid user) (passwd:gid user)) - (chmod dir #o700)))) - (prepare-directory "/var/log/webid-oidc")) - (make-forkexec-constructor - (list - (string-append #$webid-oidc "/bin/webid-oidc") - "client-service" - "--complete-corresponding-source" #$ccs - "--client-id" #$client-id - "--redirect-uri" #$redirect-uri - "--client-name" #$client-name - "--client-uri" #$client-uri - "--port" (with-output-to-string (lambda () (display #$port))) - "--log-file" "client-service.log" - "--error-file" "client-service.err" - #$@extra-options) - #:user "webid-oidc" - #:group "webid-oidc" - #:directory "/var/log/webid-oidc" - #:environment-variables - `("LANG=C")))) - (stop #~(make-kill-destructor)))))))) - -(define webid-oidc-server-shepherd-service - (match-lambda - (($ - webid-oidc ccs server-name key-file subject encrypted-password jwks-uri - authorization-endpoint-uri token-endpoint-uri port - extra-options) - (with-imported-modules - (source-module-closure - '((gnu build shepherd) - (gnu system file-systems))) - (list (shepherd-service - (provision '(webid-oidc-server)) - (documentation "Run the full Solid server.") - (requirement '(user-processes)) - (modules '((gnu build shepherd) - (gnu system file-systems))) - (start - #~(begin - (let* ((user (getpwnam "webid-oidc")) - (prepare-directory - (lambda (dir) - (mkdir-p dir) - (chown dir (passwd:uid user) (passwd:gid user)) - (chmod dir #o700)))) - (prepare-directory "/var/log/webid-oidc") - (prepare-directory "/var/lib/webid-oidc") - (prepare-directory "/var/cache/webid-oidc")) - (make-forkexec-constructor - (list - (string-append #$webid-oidc "/bin/webid-oidc") - "server" - "--complete-corresponding-source" #$ccs - "--server-name" #$server-name - "--key-file" #$key-file - "--subject" #$subject - "--encrypted-password" #$encrypted-password - "--jwks-uri" #$jwks-uri - "--authorization-endpoint-uri" #$authorization-endpoint-uri - "--token-endpoint-uri" #$token-endpoint-uri - "--port" (with-output-to-string (lambda () (display #$port))) - "--log-file" "server.log" - "--error-file" "server.err" - #$@extra-options) - #:user "webid-oidc" - #:group "webid-oidc" - #:directory "/var/log/webid-oidc" - #:environment-variables - `("XDG_DATA_HOME=/var/lib" - "XDG_CACHE_HOME=/var/cache" - "LANG=C")))) - (stop #~(make-kill-destructor)))))))) - -(define %webid-oidc-accounts - (list (user-group (name "webid-oidc") - (system? #t)) - (user-account - (name "webid-oidc") - (group "webid-oidc") - (system? #t) - (comment "The user that runs the webid-oidc issuer and resource server.") - (home-directory "/var/empty") - (shell (file-append shadow "/sbin/nologin"))))) - -(define (%webid-oidc-log-rotation file) - (list (log-rotation - (frequency 'daily) - (files - (map (lambda (ext) (string-append "/var/log/webid-oidc/" file "." ext)) - '("log" "err"))) - (options '("sharedscripts" - "storedir /var/log/webid-oidc"))))) - -(define-public webid-oidc-issuer-service-type - (service-type - (name 'webid-oidc-issuer) - (extensions - (list - (service-extension account-service-type - (const %webid-oidc-accounts)) - (service-extension rottlog-service-type - (const (%webid-oidc-log-rotation "issuer"))) - (service-extension - shepherd-root-service-type - webid-oidc-issuer-shepherd-service))))) - -(define-public webid-oidc-reverse-proxy-service-type - (service-type - (name 'webid-oidc-reverse-proxy) - (extensions - (list - (service-extension account-service-type - (const %webid-oidc-accounts)) - (service-extension rottlog-service-type - (const (%webid-oidc-log-rotation "reverse-proxy"))) - (service-extension - shepherd-root-service-type - webid-oidc-reverse-proxy-shepherd-service))))) - -(define-public webid-oidc-hello-service-type - (service-type - (name 'webid-oidc-hello) - (extensions - (list - (service-extension account-service-type - (const %webid-oidc-accounts)) - (service-extension rottlog-service-type - (const (%webid-oidc-log-rotation "hello"))) - (service-extension - shepherd-root-service-type - webid-oidc-hello-shepherd-service))))) - -(define-public webid-oidc-client-service-service-type - (service-type - (name 'webid-oidc-client-service) - (extensions - (list - (service-extension account-service-type - (const %webid-oidc-accounts)) - (service-extension rottlog-service-type - (const (%webid-oidc-log-rotation "client-service"))) - (service-extension - shepherd-root-service-type - webid-oidc-client-service-shepherd-service))))) - -(define-public webid-oidc-server-service-type - (service-type - (name 'webid-oidc-server) - (extensions - (list - (service-extension account-service-type - (const %webid-oidc-accounts)) - (service-extension rottlog-service-type - (const (%webid-oidc-log-rotation "server"))) - (service-extension - shepherd-root-service-type - webid-oidc-server-shepherd-service))))) - -(define-public webid-oidc-website - (nginx-server-configuration - (server-name '("webid-oidc.planete-kraus.eu")) - (listen '("443 ssl" "[::]:443 ssl")) - (ssl-certificate "/etc/letsencrypt/live/planete-kraus.eu/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/planete-kraus.eu/privkey.pem") - (root webid-oidc:website) - (locations - (list - (nginx-location-configuration - (uri "/project") - (body - (list "default_type text/turtle ;"))))))) diff --git a/hooks/update b/hooks/update index 325adfd..df40146 100755 --- a/hooks/update +++ b/hooks/update @@ -1,6 +1,6 @@ #!/bin/sh -# webid-oidc, implementation of the Solid specification +# disfluid, implementation of the Solid specification # Copyright (C) 2020, 2021 Vivien Kraus # This program is free software: you can redistribute it and/or modify diff --git a/man/Makefile.am b/man/Makefile.am index 2e3a7d4..7390d64 100644 --- a/man/Makefile.am +++ b/man/Makefile.am @@ -1,4 +1,4 @@ -# webid-oidc, implementation of the Solid specification +# disfluid, implementation of the Solid specification # Copyright (C) 2020, 2021 Vivien Kraus # This program is free software: you can redistribute it and/or modify @@ -14,22 +14,22 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . -dist_man8_MANS = webid-oidc.man webid-oidc-example-app.man +dist_man8_MANS = disfluid.man disfluid-example-app.man EXTRA_DIST = ./reset-env project -webid-oidc.man: ../src/scm/webid-oidc/program.scm ../configure.ac - $(AM_V_GEN) ../pre-inst-env ./reset-env $(HELP2MAN) $(srcdir)/../src/webid-oidc > $@-t +disfluid.man: ../src/scm/webid-oidc/program.scm ../configure.ac + $(AM_V_GEN) ../pre-inst-env ./reset-env $(HELP2MAN) $(srcdir)/../src/disfluid > $@-t mv $@-t $(srcdir)/$@ -webid-oidc-example-app.man: ../src/scm/webid-oidc/example-app.scm ../configure.ac - $(AM_V_GEN) ../pre-inst-env ./reset-env $(HELP2MAN) $(srcdir)/../src/webid-oidc-example-app > $@-t +disfluid-example-app.man: ../src/scm/webid-oidc/example-app.scm ../configure.ac + $(AM_V_GEN) ../pre-inst-env ./reset-env $(HELP2MAN) $(srcdir)/../src/disfluid-example-app > $@-t mv $@-t $(srcdir)/$@ install-html-local: project - $(INSTALL_DATA) $(srcdir)/$< $(DESTDIR)$(htmldir)/webid-oidc.html + $(INSTALL_DATA) $(srcdir)/$< $(DESTDIR)$(htmldir)/disfluid.html project: ../src/scm/webid-oidc/program.scm ../configure - $(AM_V_GEN) ../pre-inst-env $(GUILE) $(srcdir)/../src/webid-oidc --describe-project > $@-t + $(AM_V_GEN) ../pre-inst-env $(GUILE) $(srcdir)/../src/disfluid --describe-project > $@-t mv $@-t $(srcdir)/$@ diff --git a/man/reset-env.in b/man/reset-env.in index 650082f..43c9b74 100755 --- a/man/reset-env.in +++ b/man/reset-env.in @@ -1,6 +1,6 @@ #!@SHELL@ -# webid-oidc, implementation of the Solid specification +# disfluid, implementation of the Solid specification # Copyright (C) 2020, 2021 Vivien Kraus # This program is free software: you can redistribute it and/or modify diff --git a/po/POTFILES.in b/po/POTFILES.in index 7d703f8..9ad200b 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -1,4 +1,4 @@ -# webid-oidc, implementation of the Solid specification +# disfluid, implementation of the Solid specification # Copyright (C) 2020, 2021 Vivien Kraus # This program is free software: you can redistribute it and/or modify diff --git a/po/disfluid.pot b/po/disfluid.pot new file mode 100644 index 0000000..a66640f --- /dev/null +++ b/po/disfluid.pot @@ -0,0 +1,1813 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR Vivien Kraus +# This file is distributed under the same license as the disfluid package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: disfluid SNAPSHOT\n" +"Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" +"POT-Creation-Date: 2021-07-30 12:06+0200\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: src/libwebidoidc.c:29 +msgid "This is the main function." +msgstr "" + +#: src/random/random.c:217 +#, c-format +msgid "Could not set the global random generator up.\n" +msgstr "" + +#: src/random/random.c:231 src/random/random.c:243 src/random/random.c:256 +#: src/random/random.c:267 src/random/random.c:278 +#, c-format +msgid "Could not set the global random generator up: out of memory.\n" +msgstr "" + +#: src/random/random.c:288 +#, c-format +msgid "" +"Warning: could not open the seed file, maybe the parent directory is " +"missing...\n" +msgstr "" + +#: src/random/random.c:292 +#, c-format +msgid "Warning: could not create the cache directory '%s'.\n" +msgstr "" + +#: src/random/random.c:294 +msgid "when creating the cache directory" +msgstr "" + +#: src/random/random.c:300 +#, c-format +msgid "Warning: could not create the package cache directory '%s'.\n" +msgstr "" + +#: src/random/random.c:302 +msgid "when creating the package cache directory" +msgstr "" + +#: src/random/random.c:308 +#, c-format +msgid "Could not open the seed file '%s'.\n" +msgstr "" + +#: src/random/random.c:309 +msgid "when opening the seed file" +msgstr "" + +#: src/random/random.c:329 +#, c-format +msgid "Could not lock the seed file '%s'.\n" +msgstr "" + +#: src/random/random.c:331 +msgid "when locking the seed file" +msgstr "" + +#: src/random/random.c:345 +#, c-format +msgid "" +"Warning: the seed file '%s' is too short. This weakens the random number " +"generator. Please write more random data in it.\n" +msgstr "" + +#: src/random/random.c:362 +#, c-format +msgid "Could not update the seed file '%s'.\n" +msgstr "" + +#: src/random/random.c:363 +msgid "when rewinding the seed file" +msgstr "" + +#: src/random/random.c:395 +#, c-format +msgid "Could not unlock the seed file '%s'.\n" +msgstr "" + +#: src/random/random.c:397 +msgid "when unlocking the seed file" +msgstr "" + +#: src/random/random.c:425 +#, c-format +msgid "Could not set the thread-local random generator up.\n" +msgstr "" + +#: src/random/random.c:433 +#, c-format +msgid "" +"The random module has not been initialized. Please call " +"webid_oidc_random_init first.\n" +msgstr "" + +#: src/random/generate-random.c:47 +#, c-format +msgid "Usage: generate-random [NUMBER OF BYTES]\n" +msgstr "" + +#: src/jwk/generate-key.c:52 +#, c-format +msgid "Usage: generate-key [NUMBER OF BITS | CURVE]\n" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1090 +msgid "that’s how it is" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1095 +#, scheme-format +msgid "the value ~s is not a base64 string (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1098 +#, scheme-format +msgid "the value ~s is not JSON (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1101 +#, scheme-format +msgid "the value ~s is not Turtle (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1104 +#, scheme-format +msgid "the value ~s does not identify an elleptic curve" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1109 +#, scheme-format +msgid "the value ~s does not identify a JWK (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1111 +#, scheme-format +msgid "the value ~s does not identify a JWK" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1116 +#, scheme-format +msgid "the value ~s does not identify a public JWK (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1118 +#, scheme-format +msgid "the value ~s does not identify a public JWK" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1123 +#, scheme-format +msgid "the value ~s does not identify a private JWK (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1125 +#, scheme-format +msgid "the value ~s does not identify a private JWK" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1130 +#, scheme-format +msgid "the value ~s does not identify a JWKS (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1132 +#, scheme-format +msgid "the value ~s does not identify a JWKS" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1135 +#, scheme-format +msgid "the value ~s does not identify a hash algorithm" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1138 +#, scheme-format +msgid "the value ~s is not an alist or misses key ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1141 +#, scheme-format +msgid "the value ~s is not a JWS header (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1144 +#, scheme-format +msgid "the value ~s is not a JWS payload (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1147 +#, scheme-format +msgid "the value ~s is not a JWS (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1150 +#, scheme-format +msgid "the string ~s cannot be split in 3 parts with ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1153 +#, scheme-format +msgid "" +"all key candidates failed to verify signature ~s with algorithm ~s and " +"payload ~a (there were ~a: ~s)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1156 +#, scheme-format +msgid "I cannot decode JWS ~a (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1159 +#, scheme-format +msgid "I cannot encode JWS ~a (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1162 +#, scheme-format +msgid "" +"the server request unexpectedly failed with code ~a and reason phrase ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1167 +#, scheme-format +msgid "the header ~a should not have the value ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1169 +#, scheme-format +msgid "the header ~a should be present" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1172 +#, scheme-format +msgid "the server response wasn't expected: ~s (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1178 +#, scheme-format +msgid "the value ~s is not an OIDC configuration (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1183 +#, scheme-format +msgid "the webid field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1184 +msgid "the webid field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1188 +#, scheme-format +msgid "the sub field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1189 +msgid "the sub field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1193 +#, scheme-format +msgid "the iss field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1194 +msgid "the iss field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1198 +#, scheme-format +msgid "the aud field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1199 +msgid "the aud field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1203 +#, scheme-format +msgid "the iat field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1204 +msgid "the iat field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1208 +#, scheme-format +msgid "the exp field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1209 +msgid "the exp field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1213 +#, scheme-format +msgid "the cnf/jkt field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1214 +msgid "the cnf/jkt field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1218 +#, scheme-format +msgid "the client-id field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1219 +msgid "the client-id field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1223 +#: src/scm/webid-oidc/authorization-page-unsafe.scm:149 +#, scheme-format +msgid "the redirect_uris field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1224 +#: src/scm/webid-oidc/authorization-page-unsafe.scm:150 +msgid "the redirect_uris field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1228 +#, scheme-format +msgid "the typ field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1229 +msgid "the typ field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1233 +#, scheme-format +msgid "the jwk field is incorrect: ~s (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1235 +msgid "the jwk field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1239 +#, scheme-format +msgid "the jti field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1240 +msgid "the jti field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1244 +#, scheme-format +msgid "the nonce field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1245 +msgid "the nonce field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1249 +#, scheme-format +msgid "the htm field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1250 +msgid "the htm field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1254 +#, scheme-format +msgid "the htu field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1255 +msgid "the htu field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1259 +#, scheme-format +msgid "the ath field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1260 +msgid "the ath field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1262 +#, scheme-format +msgid "~s is not an access token (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1265 +#, scheme-format +msgid "~s is not an access token header (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1268 +#, scheme-format +msgid "~s is not an access token payload (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1271 +#, scheme-format +msgid "~s is not a DPoP proof (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1274 +#, scheme-format +msgid "~s is not a DPoP proof header (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1277 +#, scheme-format +msgid "~s is not a DPoP proof payload (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1280 +#, scheme-format +msgid "I cannot fetch the issuer configuration of ~a (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1287 +#, scheme-format +msgid "I cannot fetch the JWKS of ~a at ~a (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1298 +#, scheme-format +msgid "the HTTP method is signed for ~s, but ~s was requested" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1301 +#, scheme-format +msgid "the HTTP uri is signed for ~a, but ~a was requested" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1304 +#, scheme-format +msgid "the date is ~a, but the DPoP proof is signed in the future at ~a" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1308 +#, scheme-format +msgid "the date is ~a, but the DPoP proof was signed too long ago at ~a" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1317 +#, scheme-format +msgid "the key ~s does not hash to ~a" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1319 +#, scheme-format +msgid "the key confirmation of ~s failed (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1321 +#, scheme-format +msgid "the key confirmation of ~s failed" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1326 +#, scheme-format +msgid "the DPoP proof is bound to an access token with hash ~s, not ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1328 +#, scheme-format +msgid "the DPoP proof should be bound to the access token ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1331 +#, scheme-format +msgid "the jti ~s has already been found (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1334 +#, scheme-format +msgid "I cannot decode ~s as an access token (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1337 +#, scheme-format +msgid "I cannot encode ~s as an access token with key ~s (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1340 +#, scheme-format +msgid "I cannot decode ~s as a DPoP proof (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1343 +#, scheme-format +msgid "I cannot encode ~s as a DPoP proof (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1346 +#, scheme-format +msgid "I could not fetch a RDF graph at ~a (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1349 +#, scheme-format +msgid "~s is not a client manifest (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1352 +#, scheme-format +msgid "~s does not authorize redirection URI ~a" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1355 +msgid "I cannot serve a public manifest" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1357 +#, scheme-format +msgid "~a does not have a client manifest registration triple" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1360 +#, scheme-format +msgid "the client manifest at ~a is advertised for ~a" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1363 +#, scheme-format +msgid "I could not fetch the client manifest of ~a (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1366 +#, scheme-format +msgid "~s is not an authorization code (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1369 +#, scheme-format +msgid "~s is not an authorization code header (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1372 +#, scheme-format +msgid "~s is not an authorization code payload (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1375 +#, scheme-format +msgid "the current time is ~a, and the authorization code expired at ~a" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1379 +#, scheme-format +msgid "I cannot decode ~s as an authorization code (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1382 +#, scheme-format +msgid "I cannot encode ~s as an authorization code (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1385 +#, scheme-format +msgid "there is no such refresh token as ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1388 +#, scheme-format +msgid "" +"the refresh token is bound to a key confirmed as ~s, but it is used with key " +"~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1391 +#, scheme-format +msgid "I cannot decode ~s as an ID token (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1394 +#, scheme-format +msgid "I cannot encode ~s as an ID token (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1397 +#, scheme-format +msgid "the grant type ~s is not supported" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1400 +msgid "there is no authorization code in the request" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1402 +msgid "there is no refresh token in the request" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1404 +#, scheme-format +msgid "~s is not an ID token (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1407 +#, scheme-format +msgid "~s is not an ID token header (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1410 +#, scheme-format +msgid "~s is not an ID token payload (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1413 +#, scheme-format +msgid "" +"I couldn’t set the locale to ~s as an approximation of the client locale ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1416 +#, scheme-format +msgid "~s does not admit ~s as an identity provider" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1419 +#, scheme-format +msgid "" +"~a is neither an identity provider (because ~a) nor a webid (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1424 +#, scheme-format +msgid "the token request failed (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1427 +#, scheme-format +msgid "you don’t have a refresh token for identity ~a certified by ~a in ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1432 +#, scheme-format +msgid "all identity provider candidates for ~a failed: ~a" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1436 +#, scheme-format +msgid "~s failed (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1439 +msgid ", " +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1441 +#, scheme-format +msgid "no resource has been found to serve URI path ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1444 +#, scheme-format +msgid "the resource kind ~s is absent for the resource at ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1447 +#, scheme-format +msgid "no resource has been found to serve URI path ~s, but ~s exists" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1450 +msgid "the root storage cannot be deleted" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1452 +#, scheme-format +msgid "the container ~s should be emptied before being deleted" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1455 +#, scheme-format +msgid "the group ~s cannot be fetched (because ~a)" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1459 +#, scheme-format +msgid "the containment triples in the request to update ~s are not up to date" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1462 +#, scheme-format +msgid "the server cannot process resources with the ~s content-type" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1465 +#, scheme-format +msgid "" +"the client wants to create a resource at ~s, which is reserved for an " +"auxiliary resource" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1468 +#, scheme-format +msgid "" +"the operation on ~s by ~a is refused, because it’s not by ~s and the access " +"control forbids the following mode of operation: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1472 +msgid "an anonymous user" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1477 +#, scheme-format +msgid "" +"the client precondition failed for ~s: it allows for ~s, forbids ~s, but the " +"resource has a representation of ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1479 +#, scheme-format +msgid "" +"the client precondition failed for ~s: it allows for ~s, forbids ~s, but the " +"resource has no representation" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1482 +#, scheme-format +msgid "" +"the client wanted a response with a content type among ~s, but the resource " +"at ~s has content-type ~s which cannot be converted to one of them" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1489 +msgid "that’s it" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1493 +#, scheme-format +msgid "~a and ~a" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1496 +#, scheme-format +msgid "~a, ~a" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1500 +#, scheme-format +msgid "the signature ~a does not match key ~s with payload ~a" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1503 +#, scheme-format +msgid "the request failed unexpectedly with code ~a: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1507 +msgid "there is an undefined variable" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1509 +#, scheme-format +msgid "the origin is ~a" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1512 +#, scheme-format +msgid "a message is attached: ~a" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1515 +#, scheme-format +msgid "the values ~s are problematic" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1518 +#, scheme-format +msgid "there is a kind (~s) and args ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1521 +msgid "there is an assertion failure" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1523 +#, scheme-format +msgid "the program quits with code ~a" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1526 +msgid "the program cannot recover from this exception" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1528 +msgid "there is an external error" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1530 +msgid "there is an error" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1532 +#, scheme-format +msgid "Unhandled exception type ~a." +msgstr "" + +#: src/scm/webid-oidc/identity-provider.scm:70 +msgid "Warning: generating a new key pair." +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:45 +msgid "xml-lang|en" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:61 +msgid "page-title|Authorization" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:66 +msgid "Authorize this anonymous application?" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:67 +#, scheme-format +msgid "Authorize ~a?" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:69 +msgid "Do you want to authorize this application to represent you?" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:79 +msgid "Please retry your password:" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:80 +msgid "Please enter your password:" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:85 +msgid "Allow" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:91 +msgid "Bad request" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:96 +msgid "The application did not set the client_id parameter." +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:101 +msgid "The application did not set the redirect_uri parameter." +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:114 +#, scheme-format +msgid "the value ~s is not a base64 string." +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:117 +msgid "the following value is not JSON:" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:120 +msgid "the following value is not Turtle:" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:123 +#, scheme-format +msgid "" +"the server request unexpectedly failed with code ~a and reason phrase ~s." +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:128 +#, scheme-format +msgid "the header ~a should not have the value ~s.\n" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:130 +#, scheme-format +msgid "the header ~a should be present." +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:134 +msgid "the server response wasn’t expected:" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:143 +#, scheme-format +msgid "the client_id field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:144 +msgid "the client_id field is missing" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:153 +#, scheme-format +msgid "I could not fetch a RDF graph at ~a;" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:157 +msgid "this is not a client manifest:" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:162 +#, scheme-format +msgid "the manifest does not authorize redirection URI ~a:" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:167 +#, scheme-format +msgid "the client manifest at ~a is advertised for ~a;" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:172 +#, scheme-format +msgid "I could not fetch the client manifest of ~a;" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:177 +msgid "I could not issue an authorization code for you;" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:185 +msgid "" +"The application you are trying to authorize behaved unexpectedly. Here is " +"the explanation of the error:" +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:194 +msgid "Redirecting..." +msgstr "" + +#: src/scm/webid-oidc/authorization-page-unsafe.scm:199 +#, scheme-format +msgid "" +"~a can now log in on your behalf. You still need to adjust " +"permissions." +msgstr "" + +#: src/scm/webid-oidc/resource-server.scm:92 +#, scheme-format +msgid "~a: authentication failure: ~a\n" +msgstr "" + +#: src/scm/webid-oidc/resource-server.scm:275 +#, scheme-format +msgid "Warning: ~a\n" +msgstr "" + +#: src/scm/webid-oidc/hello-world.scm:48 src/scm/webid-oidc/example-app.scm:116 +#: src/scm/webid-oidc/program.scm:217 +msgid "command-line|version" +msgstr "" + +#: src/scm/webid-oidc/hello-world.scm:50 src/scm/webid-oidc/program.scm:221 +msgid "command-line|complete-corresponding-source" +msgstr "" + +#: src/scm/webid-oidc/hello-world.scm:52 src/scm/webid-oidc/program.scm:223 +msgid "command-line|help" +msgstr "" + +#: src/scm/webid-oidc/hello-world.scm:54 +msgid "command-line|port" +msgstr "" + +#: src/scm/webid-oidc/hello-world.scm:56 src/scm/webid-oidc/program.scm:253 +msgid "command-line|log-file" +msgstr "" + +#: src/scm/webid-oidc/hello-world.scm:58 src/scm/webid-oidc/program.scm:255 +msgid "command-line|error-file" +msgstr "" + +#: src/scm/webid-oidc/hello-world.scm:70 +#, scheme-format +msgid "" +"~a [OPTIONS]...\n" +"\n" +"Display your identity contained in the XXX-Agent header.\n" +"\n" +"This program is covered by the GNU Affero GPL, version 3 or\n" +"later. This license requires you to provide a way for any user over\n" +"the network to download the complete corresponding source code (with\n" +"your modifications) at no cost. The server adds a \"Source:\" header\n" +"to all responses.\n" +"\n" +"Options:\n" +" -S MEANS, --~a=MEANS:\n" +" specify a way to download the complete corresponding source\n" +" code. For instance, this would be an URI pointing to a tarball.\n" +" -h, --~a:\n" +" display this help message and exit.\n" +" -v, --~a:\n" +" display the version information (~a) and exit.\n" +" -p PORT, --~a=PORT:\n" +" set the port to bind.\n" +" -l FILE.log, --~a=FILE.log:\n" +" redirect the program standard output to FILE.log.\n" +" -e FILE.err, --~a=FILE.err:\n" +" redirect the program errors to FILE.err.\n" +msgstr "" + +#: src/scm/webid-oidc/hello-world.scm:103 +#: src/scm/webid-oidc/example-app.scm:159 +#, scheme-format +msgid "~a version ~a\n" +msgstr "" + +#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:609 +msgid "" +"You are legally required to link to the complete corresponding source code.\n" +msgstr "" + +#: src/scm/webid-oidc/hello-world.scm:123 +msgid "The port should be a number between 0 and 65535.\n" +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:51 +#, scheme-format +msgid "~a.\t~a, certified by ~a;\n" +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:62 +#, scheme-format +msgid "~a – ~a\n" +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:81 +#, scheme-format +msgid "I’m expecting a number between ~a and ~a.\n" +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:88 +msgid "Please enter an URI to GET: " +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:107 +#, scheme-format +msgid "Sending a request: ~s\n" +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:118 +msgid "comand-line|help" +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:126 +#, scheme-format +msgid "" +"Usage: ~a [OPTIONS]...\n" +"\n" +"Demonstrate a webid-oidc application.\n" +"\n" +"Options:\n" +" -h, --~a:\n" +" display this help message and exit.\n" +" -v, --~a:\n" +" display the version information (~a) and exit.\n" +"\n" +"Environment variables:\n" +"\n" +" LANG: set the locale. Currently ~a.\n" +"\n" +" XDG_CACHE_HOME: where the seed for the key generator is\n" +"stored. Currently ~a.\n" +"\n" +" XDG_DATA_HOME: where the login credentials are stored. Currently ~a.\n" +"\n" +" HOME: to compute a default value for XDG_CACHE_HOME and\n" +"XDG_DATA_HOME, if missing. Currently ~a.\n" +"\n" +"If you find a bug, send a report to ~a.\n" +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:163 +msgid "First, let’s log in. Here are your options:\n" +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:165 +msgid "0.\tLog in with a different identity.\n" +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:170 +#: src/scm/webid-oidc/example-app.scm:189 +msgid "Please indicate your choice number: " +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:175 +msgid "Please enter your webid, or identity server: " +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:185 +msgid "There are different possible identity providers for your webid:\n" +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:192 +#, scheme-format +msgid "" +"Please visit the following URI with a web browser:\n" +"~a\n" +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:194 +msgid "Please paste your authorization code: " +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:205 +#, scheme-format +msgid "" +"Log in success. Keep this identity token for yourself:\n" +"\n" +"~a\n" +"\n" +"Now, you can do authenticated request by presenting the following access " +"token:\n" +"\n" +"~a\n" +"\n" +"and signing DPoP proofs with the following key:\n" +"\n" +"~a\n" +msgstr "" + +#: src/scm/webid-oidc/example-app.scm:226 +#, scheme-format +msgid "There was an error: ~a\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:111 +#, scheme-format +msgid "~a: ~a: Internal server error: ~a\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:125 +#, scheme-format +msgid "" +"The client locale ~s can’t be approximated by system locale ~s (because ~a), " +"using C.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:149 +#, scheme-format +msgid "~a: ~s ~a ~s ~a\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:151 +#, scheme-format +msgid "~a: ~a (~a)" +msgstr "" + +#: src/scm/webid-oidc/program.scm:155 +#, scheme-format +msgid "~a: ~a" +msgstr "" + +#: src/scm/webid-oidc/program.scm:165 +#, scheme-format +msgid "(there was an error: ~a)" +msgstr "" + +#: src/scm/webid-oidc/program.scm:219 +msgid "command-line|describe-project" +msgstr "" + +#: src/scm/webid-oidc/program.scm:225 +msgid "command-line|server|port" +msgstr "" + +#: src/scm/webid-oidc/program.scm:227 +msgid "command-line|server|server-name" +msgstr "" + +#: src/scm/webid-oidc/program.scm:229 +msgid "command-line|server|reverse-proxy|backend-uri" +msgstr "" + +#: src/scm/webid-oidc/program.scm:231 +msgid "command-line|server|reverse-proxy|header" +msgstr "" + +#: src/scm/webid-oidc/program.scm:233 +msgid "command-line|server|issuer|key-file" +msgstr "" + +#: src/scm/webid-oidc/program.scm:235 +msgid "command-line|server|issuer|subject" +msgstr "" + +#: src/scm/webid-oidc/program.scm:237 +msgid "command-line|server|issuer|encrypted-password" +msgstr "" + +#: src/scm/webid-oidc/program.scm:239 +msgid "command-line|server|issuer|jwks-uri" +msgstr "" + +#: src/scm/webid-oidc/program.scm:241 +msgid "command-line|server|issuer|authorization-endpoint-uri" +msgstr "" + +#: src/scm/webid-oidc/program.scm:243 +msgid "command-line|server|issuer|token-endpoint-uri" +msgstr "" + +#: src/scm/webid-oidc/program.scm:245 +msgid "command-line|server|client-id" +msgstr "" + +#: src/scm/webid-oidc/program.scm:247 +msgid "command-line|server|redirect-uri" +msgstr "" + +#: src/scm/webid-oidc/program.scm:249 +msgid "command-line|server|client-name" +msgstr "" + +#: src/scm/webid-oidc/program.scm:251 +msgid "command-line|server|client-uri" +msgstr "" + +#: src/scm/webid-oidc/program.scm:284 +#, scheme-format +msgid "Usage: ~a COMMAND [OPTIONS]...\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:288 +msgid "" +"\n" +"Run the disfluid COMMAND." +msgstr "" + +#: src/scm/webid-oidc/program.scm:291 +msgid "" +"\n" +"This program is covered by the GNU Affero GPL, version 3 or\n" +"later. This license requires you to provide a way for any user over\n" +"the network to download the complete corresponding source code (with\n" +"your modifications) at no cost. The server adds a \"Source:\" header\n" +"to all responses." +msgstr "" + +#: src/scm/webid-oidc/program.scm:298 +msgid "" +"\n" +"Available commands:" +msgstr "" + +#: src/scm/webid-oidc/program.scm:300 +#, scheme-format +msgid "" +"\n" +" ~a:\n" +" run an authenticating reverse proxy." +msgstr "" + +#: src/scm/webid-oidc/program.scm:303 src/scm/webid-oidc/program.scm:491 +#: src/scm/webid-oidc/program.scm:682 +msgid "command-line|command|reverse-proxy" +msgstr "" + +#: src/scm/webid-oidc/program.scm:304 +#, scheme-format +msgid "" +"\n" +" ~a:\n" +" run an identity provider." +msgstr "" + +#: src/scm/webid-oidc/program.scm:307 src/scm/webid-oidc/program.scm:516 +#: src/scm/webid-oidc/program.scm:704 +msgid "command-line|command|identity-provider" +msgstr "" + +#: src/scm/webid-oidc/program.scm:308 +#, scheme-format +msgid "" +"\n" +" ~a:\n" +" serve the pages for a public application." +msgstr "" + +#: src/scm/webid-oidc/program.scm:311 src/scm/webid-oidc/program.scm:537 +#: src/scm/webid-oidc/program.scm:748 +msgid "command-line|command|client-service" +msgstr "" + +#: src/scm/webid-oidc/program.scm:312 +#, scheme-format +msgid "" +"\n" +" ~a:\n" +" run a full server, with identity provider and resource storage\n" +" facility." +msgstr "" + +#: src/scm/webid-oidc/program.scm:316 src/scm/webid-oidc/program.scm:563 +#: src/scm/webid-oidc/program.scm:777 +msgid "command-line|command|server" +msgstr "" + +#: src/scm/webid-oidc/program.scm:318 +msgid "" +"\n" +"General options:" +msgstr "" + +#: src/scm/webid-oidc/program.scm:320 +#, scheme-format +msgid "" +"\n" +" -S MEANS, --~a=MEANS:\n" +" specify a way to download the complete corresponding source\n" +" code. For instance, this would be an URI pointing to a tarball." +msgstr "" + +#: src/scm/webid-oidc/program.scm:325 +#, scheme-format +msgid "" +"\n" +" -h, --~a:\n" +" display a short help message and exit." +msgstr "" + +#: src/scm/webid-oidc/program.scm:329 +#, scheme-format +msgid "" +"\n" +" -v, --~a:\n" +" display the version information (~a, released ~a) and exit." +msgstr "" + +#: src/scm/webid-oidc/program.scm:335 +#, scheme-format +msgid "" +"\n" +" --~a:\n" +" describe the project in the DOAP vocabulary and exit." +msgstr "" + +#: src/scm/webid-oidc/program.scm:339 +#, scheme-format +msgid "" +"\n" +" -l FILE.log, --~a=FILE.log:\n" +" redirect the program standard output to FILE.log." +msgstr "" + +#: src/scm/webid-oidc/program.scm:343 +#, scheme-format +msgid "" +"\n" +" -e FILE.err, --~a=FILE.err:\n" +" redirect the program errors to FILE.err." +msgstr "" + +#: src/scm/webid-oidc/program.scm:348 +msgid "" +"\n" +"General server-side options:" +msgstr "" + +#: src/scm/webid-oidc/program.scm:350 +#, scheme-format +msgid "" +"\n" +" -p PORT, --~a=PORT:\n" +" set the server port to bind, 8080 by default." +msgstr "" + +#: src/scm/webid-oidc/program.scm:354 +#, scheme-format +msgid "" +"\n" +" -n URI, --~a=URI:\n" +" set the public server URI (scheme, userinfo, host, and port)." +msgstr "" + +#: src/scm/webid-oidc/program.scm:359 +msgid "" +"\n" +"Options for the resource server:" +msgstr "" + +#: src/scm/webid-oidc/program.scm:361 +#, scheme-format +msgid "" +"\n" +" -H HEADER, --~a=HEADER:\n" +" the HEADER field contains the webid of the authenticated user,\n" +" XXX-Agent by default. For the full server, disable Solid-OIDC\n" +" authentication." +msgstr "" + +#: src/scm/webid-oidc/program.scm:367 +#, scheme-format +msgid "" +"\n" +" -b URI, --~a=URI:\n" +" set the backend URI for the reverse proxy, only for the\n" +" reverse-proxy command." +msgstr "" + +#: src/scm/webid-oidc/program.scm:373 +msgid "" +"\n" +"Options for the identity provider:" +msgstr "" + +#: src/scm/webid-oidc/program.scm:375 +#, scheme-format +msgid "" +"\n" +" -k FILE, --~a=FILE.jwk:\n" +" set the file name of the key file. If it does not exist, a new\n" +" key is generated. The server does not offer an HTTPS service." +msgstr "" + +#: src/scm/webid-oidc/program.scm:380 +#, scheme-format +msgid "" +"\n" +" -s WEBID, --~a=WEBID:\n" +" set the identity of the subject." +msgstr "" + +#: src/scm/webid-oidc/program.scm:384 +#, scheme-format +msgid "" +"\n" +" -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD:\n" +" set the encrypted password to recognize the user." +msgstr "" + +#: src/scm/webid-oidc/program.scm:388 +#, scheme-format +msgid "" +"\n" +" -j URI, --~a=URI:\n" +" set the URI to query the key of the server." +msgstr "" + +#: src/scm/webid-oidc/program.scm:392 +#, scheme-format +msgid "" +"\n" +" -a URI, --~a=URI:\n" +" set the authorization endpoint of the issuer." +msgstr "" + +#: src/scm/webid-oidc/program.scm:396 +#, scheme-format +msgid "" +"\n" +" -t URI, --~a=URI:\n" +" set the token endpoint of the issuer." +msgstr "" + +#: src/scm/webid-oidc/program.scm:401 +msgid "" +"\n" +"Options for the client service:" +msgstr "" + +#: src/scm/webid-oidc/program.scm:403 +#, scheme-format +msgid "" +"\n" +" -c URI, --~a=URI:\n" +" set the web identifier of the client application, which is\n" +" dereferenced to a semantic resource." +msgstr "" + +#: src/scm/webid-oidc/program.scm:408 +#, scheme-format +msgid "" +"\n" +" -r URI, --~a=URI:\n" +" set the redirection URI to get the authorization code back. The\n" +" page is presented with the code to paste in the application." +msgstr "" + +#: src/scm/webid-oidc/program.scm:413 +#, scheme-format +msgid "" +"\n" +" -C NAME, --~a=NAME:\n" +" set the user-visible application name (may be misleading...)." +msgstr "" + +#: src/scm/webid-oidc/program.scm:417 +#, scheme-format +msgid "" +"\n" +" -u URI, --~a=URI:\n" +" set an URI where someone would find more information about the\n" +" application (again, may be misleading)." +msgstr "" + +#: src/scm/webid-oidc/program.scm:423 +msgid "" +"\n" +"Environment variables:" +msgstr "" + +#: src/scm/webid-oidc/program.scm:425 +msgid "" +"\n" +" XML_CATALOG_FILES: the server will fetch resources on the web. By\n" +" setting this environment variable to a space-separated list of\n" +" catalog URIs, the server will redirect these requests to another\n" +" server. Currently, it is not possible to load files from the\n" +" file system, because there is no way to specify the\n" +" content-type." +msgstr "" + +#: src/scm/webid-oidc/program.scm:433 src/scm/webid-oidc/program.scm:440 +#: src/scm/webid-oidc/program.scm:449 src/scm/webid-oidc/program.scm:457 +#: src/scm/webid-oidc/program.scm:465 +#, scheme-format +msgid "" +"the-environment-variable|\n" +" It is currently set to ~s." +msgstr "" + +#: src/scm/webid-oidc/program.scm:436 +msgid "" +"\n" +" LANG: set the locale of the user interface (for the server commands,\n" +" the user is the system administrator)." +msgstr "" + +#: src/scm/webid-oidc/program.scm:443 +msgid "" +"\n" +" XDG_DATA_HOME: where the program stores persistent data. The\n" +" identity provider stores the refresh tokens. The full server\n" +" stores the resources there. For a system service, it is\n" +" recommended to set it to /var/lib." +msgstr "" + +#: src/scm/webid-oidc/program.scm:452 +msgid "" +"\n" +" XDG_CACHE_HOME: where the program stores and updates the seed file,\n" +" and the web client cache. You can remove this directory at any\n" +" time. The seed file will be initialized from /dev/random." +msgstr "" + +#: src/scm/webid-oidc/program.scm:460 +msgid "" +"\n" +" HOME: if XDG_DATA_HOME or XDG_CACHE_HOME is not set, they are\n" +" computed from the value of the HOME environment variable. It is\n" +" not used otherwise." +msgstr "" + +#: src/scm/webid-oidc/program.scm:469 +msgid "" +"\n" +"Running a reverse proxy" +msgstr "" + +#: src/scm/webid-oidc/program.scm:471 +msgid "" +"\n" +"Suppose that you operate data.provider.com. You want to run an\n" +"authenticating reverse proxy, that will receive incoming requests\n" +"through http://localhost:8080, and forward them to\n" +"https://private.data.provider.com. The backend will look for the\n" +"XXX-Agent header, and if it is found, then its value will be\n" +"considered the webid of the authenticated\n" +"user. https://private.data.provider.com should only accept requests\n" +"from this reverse proxy." +msgstr "" + +#: src/scm/webid-oidc/program.scm:481 +#, scheme-format +msgid "" +"\n" +" ~a ~a \\\n" +" --~a 'https://data.provider.com/server-source-code.tar.gz' \\\n" +" --~a 8080 \\\n" +" --~a 'https://data.provider.com' \\\n" +" --~a 'https://private.data.provider.com' \\\n" +" --~a 'XXX-Agent' \\\n" +" --~a '/var/log/proxy.log' \\\n" +" --~a '/var/log/proxy.err'" +msgstr "" + +#: src/scm/webid-oidc/program.scm:496 +msgid "" +"\n" +"Running an identity provider" +msgstr "" + +#: src/scm/webid-oidc/program.scm:498 +msgid "" +"\n" +"The identity provider running at webid-oidc-demo.planete-kraus.eu is\n" +"invoked with the following options:" +msgstr "" + +#: src/scm/webid-oidc/program.scm:502 +#, scheme-format +msgid "" +"\n" +" export XDG_DATA_HOME=/var/lib\n" +" export XDG_CACHE_HOME=/var/cache\n" +" ~a ~a \\\n" +" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" +"source.tar.gz' \\\n" +" --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n" +" --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n" +" --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n" +" --~a \"$ENCRYPTED_PASSWORD\" \\\n" +" --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n" +" --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n" +" --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n" +" --~a $PORT" +msgstr "" + +#: src/scm/webid-oidc/program.scm:522 +msgid "" +"\n" +"Running the public pages for an application" +msgstr "" + +#: src/scm/webid-oidc/program.scm:524 +msgid "" +"\n" +"The example client application pages for\n" +"webid-oidc-demo.planete-kraus.eu are served this way:" +msgstr "" + +#: src/scm/webid-oidc/program.scm:528 +#, scheme-format +msgid "" +"\n" +" ~a ~a \\\n" +" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" +"source.tar.gz' \\\n" +" --~a 'https://webid-oidc-demo.planete-kraus.eu/example-application#id' " +"\\\n" +" --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\\n" +" --~a 'Example Solid Application' \\\n" +" --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client." +"html#Running-a-client' \\\n" +" --~a $PORT" +msgstr "" + +#: src/scm/webid-oidc/program.scm:542 +msgid "" +"\n" +"Running a full server" +msgstr "" + +#: src/scm/webid-oidc/program.scm:545 +msgid "" +"\n" +"To run the server with identity provider and\n" +"resource server for one particular user, you need to combine the\n" +"options for the parts." +msgstr "" + +#: src/scm/webid-oidc/program.scm:549 +#, scheme-format +msgid "" +"\n" +" export XDG_DATA_HOME=/var/lib\n" +" export XDG_CACHE_HOME=/var/cache\n" +" ~a ~a \\\n" +" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" +"source.tar.gz' \\\n" +" --~a 'https://data.planete-kraus.eu' \\\n" +" --~a '/var/lib/disfluid/server/key.jwk' \\\n" +" --~a 'https://data.planete-kraus.eu/vivien#me' \\\n" +" --~a '$...alg...$...salt...$...hash...' \\\n" +" --~a 'https://data.planete-kraus.eu/keys' \\\n" +" --~a 'https://data.planete-kraus.eu/authorize' \\\n" +" --~a 'https://data.planete-kraus.eu/token' \\\n" +" --~a '...port...'" +msgstr "" + +#: src/scm/webid-oidc/program.scm:574 +#, scheme-format +msgid "" +"\n" +"If you find a bug, then please send a report to ~a." +msgstr "" + +#: src/scm/webid-oidc/program.scm:579 +#, scheme-format +msgid "" +"~a version ~a\n" +"\n" +"Rreleased ~a\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:616 +#, scheme-format +msgid "The --~a argument must be a number, not ~s.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:622 +#, scheme-format +msgid "The --~a argument must be an integer, not ~s.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:628 +#, scheme-format +msgid "The --~a argument must be positive, ~s is invalid.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:633 +#, scheme-format +msgid "The --~a argument must be less than 65536, ~s is invalid.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:675 +#, scheme-format +msgid "" +"Usage: ~a COMMAND [OPTIONS]...\n" +"See --~a (-h).\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:685 src/scm/webid-oidc/program.scm:707 +#: src/scm/webid-oidc/program.scm:779 +#, scheme-format +msgid "You must pass --~a to set the server name.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:689 +#, scheme-format +msgid "You must pass --~a to set the backend URI.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:711 src/scm/webid-oidc/program.scm:783 +#, scheme-format +msgid "" +"You must pass --~a to set the file where to store the identity provider " +"key.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:715 src/scm/webid-oidc/program.scm:787 +#, scheme-format +msgid "You must pass --~a to set the subject of the identity provider.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:719 src/scm/webid-oidc/program.scm:791 +#, scheme-format +msgid "You must pass --~a to set the subject’s encrypted password.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:723 src/scm/webid-oidc/program.scm:795 +#, scheme-format +msgid "You must pass --~a to set the JWKS URI.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:727 src/scm/webid-oidc/program.scm:799 +#, scheme-format +msgid "You must pass --~a to set the authorization endpoint URI.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:731 src/scm/webid-oidc/program.scm:803 +#, scheme-format +msgid "You must pass --~a to set the token endpoint URI.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:751 +#, scheme-format +msgid "You must pass --~a to set the application web ID.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:755 +#, scheme-format +msgid "You must pass --~a to set the redirection URI.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:759 +#, scheme-format +msgid "You must pass --~a to set the informative client name.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:763 +#, scheme-format +msgid "You must pass --~a to set the informative client URI.\n" +msgstr "" + +#: src/scm/webid-oidc/program.scm:850 +#, scheme-format +msgid "Unknown command ~s\n" +msgstr "" diff --git a/po/fr.po b/po/fr.po index a2c3820..e3d7ee2 100644 --- a/po/fr.po +++ b/po/fr.po @@ -2,8 +2,8 @@ msgid "" msgstr "" "Project-Id-Version: webid-oidc 0.0.0\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-07-29 12:34+0200\n" -"PO-Revision-Date: 2021-07-29 12:34+0200\n" +"POT-Creation-Date: 2021-07-30 12:06+0200\n" +"PO-Revision-Date: 2021-07-30 12:08+0200\n" "Last-Translator: Vivien Kraus \n" "Language-Team: French \n" "Language: fr\n" @@ -1096,7 +1096,7 @@ msgstr "" msgid "~a version ~a\n" msgstr "~a version ~a\n" -#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:607 +#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:609 msgid "" "You are legally required to link to the complete corresponding source code.\n" msgstr "" @@ -1360,10 +1360,10 @@ msgstr "Utilisation : ~a COMMANDE [OPTIONS]...\n" #: src/scm/webid-oidc/program.scm:288 msgid "" "\n" -"Run the webid-oidc COMMAND." +"Run the disfluid COMMAND." msgstr "" "\n" -"Exécute la COMMANDE webid-oidc." +"Exécute la COMMANDE disfluid." #: src/scm/webid-oidc/program.scm:291 msgid "" @@ -1401,7 +1401,7 @@ msgstr "" " exécute le proxy inverse authentifiant." #: src/scm/webid-oidc/program.scm:303 src/scm/webid-oidc/program.scm:491 -#: src/scm/webid-oidc/program.scm:680 +#: src/scm/webid-oidc/program.scm:682 msgid "command-line|command|reverse-proxy" msgstr "proxy-inversé" @@ -1417,7 +1417,7 @@ msgstr "" " exécute un fournisseur d’identité." #: src/scm/webid-oidc/program.scm:307 src/scm/webid-oidc/program.scm:516 -#: src/scm/webid-oidc/program.scm:702 +#: src/scm/webid-oidc/program.scm:704 msgid "command-line|command|identity-provider" msgstr "fournisseur-identité" @@ -1433,7 +1433,7 @@ msgstr "" " sert les pages d’une application publique." #: src/scm/webid-oidc/program.scm:311 src/scm/webid-oidc/program.scm:537 -#: src/scm/webid-oidc/program.scm:746 +#: src/scm/webid-oidc/program.scm:748 msgid "command-line|command|client-service" msgstr "service-client" @@ -1451,7 +1451,7 @@ msgstr "" " une fonction de stockage de ressources." #: src/scm/webid-oidc/program.scm:316 src/scm/webid-oidc/program.scm:563 -#: src/scm/webid-oidc/program.scm:775 +#: src/scm/webid-oidc/program.scm:777 msgid "command-line|command|server" msgstr "serveur" @@ -1577,14 +1577,14 @@ msgid "" "\n" " -H HEADER, --~a=HEADER:\n" " the HEADER field contains the webid of the authenticated user,\n" -" XXX-Agent by default. For the full server, disable webid-oidc\n" +" XXX-Agent by default. For the full server, disable Solid-OIDC\n" " authentication." msgstr "" "\n" " -H EN-TÊTE, --~a=EN-TÊTE :\n" " le champ EN-TÊTE contiendra l’identifiant webid de l’utilisateur\n" " authentifié, XXX-Agent par défaut. Pour un serveur complet, ceci\n" -" désactive l’authentification par webid-oidc." +" désactive l’authentification par Solid-OIDC." #: src/scm/webid-oidc/program.scm:367 #, scheme-format @@ -2008,7 +2008,7 @@ msgid "" " --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" "source.tar.gz' \\\n" " --~a 'https://data.planete-kraus.eu' \\\n" -" --~a '/var/lib/webid-oidc/server/key.jwk' \\\n" +" --~a '/var/lib/disfluid/server/key.jwk' \\\n" " --~a 'https://data.planete-kraus.eu/vivien#me' \\\n" " --~a '$...alg...$...salt...$...hash...' \\\n" " --~a 'https://data.planete-kraus.eu/keys' \\\n" @@ -2024,7 +2024,7 @@ msgstr "" " --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" "source.tar.gz' \\\n" " --~a 'https://data.planete-kraus.eu' \\\n" -" --~a '/var/lib/webid-oidc/server/key.jwk' \\\n" +" --~a '/var/lib/disfluid/server/key.jwk' \\\n" " --~a 'https://data.planete-kraus.eu/vivien#me' \\\n" " --~a '$...alg...$...sel...$...condensat...' \\\n" " --~a 'https://data.planete-kraus.eu/keys' \\\n" @@ -2043,30 +2043,36 @@ msgstr "" #: src/scm/webid-oidc/program.scm:579 #, scheme-format -msgid "~a version ~a, released ~a\n" -msgstr "~a version ~a, publiée le ~a\n" +msgid "" +"~a version ~a\n" +"\n" +"Rreleased ~a\n" +msgstr "" +"~a version ~a\n" +"\n" +"Publiée le ~a\n" -#: src/scm/webid-oidc/program.scm:614 +#: src/scm/webid-oidc/program.scm:616 #, scheme-format msgid "The --~a argument must be a number, not ~s.\n" msgstr "L’argument de --~a doit être un nombre, pas ~s.\n" -#: src/scm/webid-oidc/program.scm:620 +#: src/scm/webid-oidc/program.scm:622 #, scheme-format msgid "The --~a argument must be an integer, not ~s.\n" msgstr "L’argument de --~a doit être un entier, pas ~s.\n" -#: src/scm/webid-oidc/program.scm:626 +#: src/scm/webid-oidc/program.scm:628 #, scheme-format msgid "The --~a argument must be positive, ~s is invalid.\n" msgstr "L’argument de --~a doit être positif, ~s est invalide.\n" -#: src/scm/webid-oidc/program.scm:631 +#: src/scm/webid-oidc/program.scm:633 #, scheme-format msgid "The --~a argument must be less than 65536, ~s is invalid.\n" msgstr "L’argument de --~a doit être inférieur à 65536, ~s est invalide.\n" -#: src/scm/webid-oidc/program.scm:673 +#: src/scm/webid-oidc/program.scm:675 #, scheme-format msgid "" "Usage: ~a COMMAND [OPTIONS]...\n" @@ -2075,18 +2081,18 @@ msgstr "" "Utilisation : ~a COMMANDE [OPTIONS]...\n" "Voir --~a (-h).\n" -#: src/scm/webid-oidc/program.scm:683 src/scm/webid-oidc/program.scm:705 -#: src/scm/webid-oidc/program.scm:777 +#: src/scm/webid-oidc/program.scm:685 src/scm/webid-oidc/program.scm:707 +#: src/scm/webid-oidc/program.scm:779 #, scheme-format msgid "You must pass --~a to set the server name.\n" msgstr "Vous devez passer --~a pour définir le nom du serveur.\n" -#: src/scm/webid-oidc/program.scm:687 +#: src/scm/webid-oidc/program.scm:689 #, scheme-format msgid "You must pass --~a to set the backend URI.\n" msgstr "Vous devez passer --~a pour définir l'URI du service d’arrière-plan.\n" -#: src/scm/webid-oidc/program.scm:709 src/scm/webid-oidc/program.scm:781 +#: src/scm/webid-oidc/program.scm:711 src/scm/webid-oidc/program.scm:783 #, scheme-format msgid "" "You must pass --~a to set the file where to store the identity provider " @@ -2095,59 +2101,59 @@ msgstr "" "Vous devez passer --~a pour définir le nom du fichier pour sauvegarder\n" "la clé du fournisseur d’identité.\n" -#: src/scm/webid-oidc/program.scm:713 src/scm/webid-oidc/program.scm:785 +#: src/scm/webid-oidc/program.scm:715 src/scm/webid-oidc/program.scm:787 #, scheme-format msgid "You must pass --~a to set the subject of the identity provider.\n" msgstr "" "Vous devez passer --~a pour définir le sujet du fournisseur d’identité.\n" -#: src/scm/webid-oidc/program.scm:717 src/scm/webid-oidc/program.scm:789 +#: src/scm/webid-oidc/program.scm:719 src/scm/webid-oidc/program.scm:791 #, scheme-format msgid "You must pass --~a to set the subject’s encrypted password.\n" msgstr "" "Vous devez passer --~a pour définir le mot de passe chiffré du sujet.\n" -#: src/scm/webid-oidc/program.scm:721 src/scm/webid-oidc/program.scm:793 +#: src/scm/webid-oidc/program.scm:723 src/scm/webid-oidc/program.scm:795 #, scheme-format msgid "You must pass --~a to set the JWKS URI.\n" msgstr "Vous devez passer --~a pour définir l'URI du JWKS.\n" -#: src/scm/webid-oidc/program.scm:725 src/scm/webid-oidc/program.scm:797 +#: src/scm/webid-oidc/program.scm:727 src/scm/webid-oidc/program.scm:799 #, scheme-format msgid "You must pass --~a to set the authorization endpoint URI.\n" msgstr "" "Vous devez passer --~a pour définir l'URI du terminal d'autorisation.\n" -#: src/scm/webid-oidc/program.scm:729 src/scm/webid-oidc/program.scm:801 +#: src/scm/webid-oidc/program.scm:731 src/scm/webid-oidc/program.scm:803 #, scheme-format msgid "You must pass --~a to set the token endpoint URI.\n" msgstr "Vous devez passer --~a pour définir l'URI du terminal de jeton.\n" -#: src/scm/webid-oidc/program.scm:749 +#: src/scm/webid-oidc/program.scm:751 #, scheme-format msgid "You must pass --~a to set the application web ID.\n" msgstr "" "Vous devez passer --~a pour définir l'identifiant web de l’application.\n" -#: src/scm/webid-oidc/program.scm:753 +#: src/scm/webid-oidc/program.scm:755 #, scheme-format msgid "You must pass --~a to set the redirection URI.\n" msgstr "Vous devez passer --~a pour définir l'URI de redirection.\n" -#: src/scm/webid-oidc/program.scm:757 +#: src/scm/webid-oidc/program.scm:759 #, scheme-format msgid "You must pass --~a to set the informative client name.\n" msgstr "" "Vous devez passer --~a pour donner un nom pour l’application à titre " "informatif.\n" -#: src/scm/webid-oidc/program.scm:761 +#: src/scm/webid-oidc/program.scm:763 #, scheme-format msgid "You must pass --~a to set the informative client URI.\n" msgstr "" "Vous devez passer --~a pour définir l'URI du client, à titre informatif.\n" -#: src/scm/webid-oidc/program.scm:848 +#: src/scm/webid-oidc/program.scm:850 #, scheme-format msgid "Unknown command ~s\n" msgstr "Commande inconnue ~s\n" diff --git a/po/webid-oidc.pot b/po/webid-oidc.pot deleted file mode 100644 index f189555..0000000 --- a/po/webid-oidc.pot +++ /dev/null @@ -1,1810 +0,0 @@ -# SOME DESCRIPTIVE TITLE. -# Copyright (C) YEAR Vivien Kraus -# This file is distributed under the same license as the webid-oidc package. -# FIRST AUTHOR , YEAR. -# -#, fuzzy -msgid "" -msgstr "" -"Project-Id-Version: webid-oidc SNAPSHOT\n" -"Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-07-29 12:34+0200\n" -"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" -"Last-Translator: FULL NAME \n" -"Language-Team: LANGUAGE \n" -"Language: \n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" - -#: src/libwebidoidc.c:29 -msgid "This is the main function." -msgstr "" - -#: src/random/random.c:217 -#, c-format -msgid "Could not set the global random generator up.\n" -msgstr "" - -#: src/random/random.c:231 src/random/random.c:243 src/random/random.c:256 -#: src/random/random.c:267 src/random/random.c:278 -#, c-format -msgid "Could not set the global random generator up: out of memory.\n" -msgstr "" - -#: src/random/random.c:288 -#, c-format -msgid "" -"Warning: could not open the seed file, maybe the parent directory is " -"missing...\n" -msgstr "" - -#: src/random/random.c:292 -#, c-format -msgid "Warning: could not create the cache directory '%s'.\n" -msgstr "" - -#: src/random/random.c:294 -msgid "when creating the cache directory" -msgstr "" - -#: src/random/random.c:300 -#, c-format -msgid "Warning: could not create the package cache directory '%s'.\n" -msgstr "" - -#: src/random/random.c:302 -msgid "when creating the package cache directory" -msgstr "" - -#: src/random/random.c:308 -#, c-format -msgid "Could not open the seed file '%s'.\n" -msgstr "" - -#: src/random/random.c:309 -msgid "when opening the seed file" -msgstr "" - -#: src/random/random.c:329 -#, c-format -msgid "Could not lock the seed file '%s'.\n" -msgstr "" - -#: src/random/random.c:331 -msgid "when locking the seed file" -msgstr "" - -#: src/random/random.c:345 -#, c-format -msgid "" -"Warning: the seed file '%s' is too short. This weakens the random number " -"generator. Please write more random data in it.\n" -msgstr "" - -#: src/random/random.c:362 -#, c-format -msgid "Could not update the seed file '%s'.\n" -msgstr "" - -#: src/random/random.c:363 -msgid "when rewinding the seed file" -msgstr "" - -#: src/random/random.c:395 -#, c-format -msgid "Could not unlock the seed file '%s'.\n" -msgstr "" - -#: src/random/random.c:397 -msgid "when unlocking the seed file" -msgstr "" - -#: src/random/random.c:425 -#, c-format -msgid "Could not set the thread-local random generator up.\n" -msgstr "" - -#: src/random/random.c:433 -#, c-format -msgid "" -"The random module has not been initialized. Please call " -"webid_oidc_random_init first.\n" -msgstr "" - -#: src/random/generate-random.c:47 -#, c-format -msgid "Usage: generate-random [NUMBER OF BYTES]\n" -msgstr "" - -#: src/jwk/generate-key.c:52 -#, c-format -msgid "Usage: generate-key [NUMBER OF BITS | CURVE]\n" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1090 -msgid "that’s how it is" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1095 -#, scheme-format -msgid "the value ~s is not a base64 string (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1098 -#, scheme-format -msgid "the value ~s is not JSON (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1101 -#, scheme-format -msgid "the value ~s is not Turtle (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1104 -#, scheme-format -msgid "the value ~s does not identify an elleptic curve" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1109 -#, scheme-format -msgid "the value ~s does not identify a JWK (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1111 -#, scheme-format -msgid "the value ~s does not identify a JWK" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1116 -#, scheme-format -msgid "the value ~s does not identify a public JWK (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1118 -#, scheme-format -msgid "the value ~s does not identify a public JWK" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1123 -#, scheme-format -msgid "the value ~s does not identify a private JWK (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1125 -#, scheme-format -msgid "the value ~s does not identify a private JWK" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1130 -#, scheme-format -msgid "the value ~s does not identify a JWKS (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1132 -#, scheme-format -msgid "the value ~s does not identify a JWKS" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1135 -#, scheme-format -msgid "the value ~s does not identify a hash algorithm" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1138 -#, scheme-format -msgid "the value ~s is not an alist or misses key ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1141 -#, scheme-format -msgid "the value ~s is not a JWS header (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1144 -#, scheme-format -msgid "the value ~s is not a JWS payload (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1147 -#, scheme-format -msgid "the value ~s is not a JWS (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1150 -#, scheme-format -msgid "the string ~s cannot be split in 3 parts with ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1153 -#, scheme-format -msgid "" -"all key candidates failed to verify signature ~s with algorithm ~s and " -"payload ~a (there were ~a: ~s)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1156 -#, scheme-format -msgid "I cannot decode JWS ~a (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1159 -#, scheme-format -msgid "I cannot encode JWS ~a (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1162 -#, scheme-format -msgid "" -"the server request unexpectedly failed with code ~a and reason phrase ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1167 -#, scheme-format -msgid "the header ~a should not have the value ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1169 -#, scheme-format -msgid "the header ~a should be present" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1172 -#, scheme-format -msgid "the server response wasn't expected: ~s (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1178 -#, scheme-format -msgid "the value ~s is not an OIDC configuration (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1183 -#, scheme-format -msgid "the webid field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1184 -msgid "the webid field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1188 -#, scheme-format -msgid "the sub field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1189 -msgid "the sub field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1193 -#, scheme-format -msgid "the iss field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1194 -msgid "the iss field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1198 -#, scheme-format -msgid "the aud field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1199 -msgid "the aud field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1203 -#, scheme-format -msgid "the iat field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1204 -msgid "the iat field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1208 -#, scheme-format -msgid "the exp field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1209 -msgid "the exp field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1213 -#, scheme-format -msgid "the cnf/jkt field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1214 -msgid "the cnf/jkt field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1218 -#, scheme-format -msgid "the client-id field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1219 -msgid "the client-id field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1223 -#: src/scm/webid-oidc/authorization-page-unsafe.scm:149 -#, scheme-format -msgid "the redirect_uris field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1224 -#: src/scm/webid-oidc/authorization-page-unsafe.scm:150 -msgid "the redirect_uris field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1228 -#, scheme-format -msgid "the typ field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1229 -msgid "the typ field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1233 -#, scheme-format -msgid "the jwk field is incorrect: ~s (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1235 -msgid "the jwk field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1239 -#, scheme-format -msgid "the jti field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1240 -msgid "the jti field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1244 -#, scheme-format -msgid "the nonce field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1245 -msgid "the nonce field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1249 -#, scheme-format -msgid "the htm field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1250 -msgid "the htm field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1254 -#, scheme-format -msgid "the htu field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1255 -msgid "the htu field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1259 -#, scheme-format -msgid "the ath field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1260 -msgid "the ath field is missing" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1262 -#, scheme-format -msgid "~s is not an access token (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1265 -#, scheme-format -msgid "~s is not an access token header (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1268 -#, scheme-format -msgid "~s is not an access token payload (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1271 -#, scheme-format -msgid "~s is not a DPoP proof (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1274 -#, scheme-format -msgid "~s is not a DPoP proof header (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1277 -#, scheme-format -msgid "~s is not a DPoP proof payload (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1280 -#, scheme-format -msgid "I cannot fetch the issuer configuration of ~a (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1287 -#, scheme-format -msgid "I cannot fetch the JWKS of ~a at ~a (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1298 -#, scheme-format -msgid "the HTTP method is signed for ~s, but ~s was requested" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1301 -#, scheme-format -msgid "the HTTP uri is signed for ~a, but ~a was requested" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1304 -#, scheme-format -msgid "the date is ~a, but the DPoP proof is signed in the future at ~a" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1308 -#, scheme-format -msgid "the date is ~a, but the DPoP proof was signed too long ago at ~a" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1317 -#, scheme-format -msgid "the key ~s does not hash to ~a" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1319 -#, scheme-format -msgid "the key confirmation of ~s failed (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1321 -#, scheme-format -msgid "the key confirmation of ~s failed" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1326 -#, scheme-format -msgid "the DPoP proof is bound to an access token with hash ~s, not ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1328 -#, scheme-format -msgid "the DPoP proof should be bound to the access token ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1331 -#, scheme-format -msgid "the jti ~s has already been found (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1334 -#, scheme-format -msgid "I cannot decode ~s as an access token (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1337 -#, scheme-format -msgid "I cannot encode ~s as an access token with key ~s (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1340 -#, scheme-format -msgid "I cannot decode ~s as a DPoP proof (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1343 -#, scheme-format -msgid "I cannot encode ~s as a DPoP proof (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1346 -#, scheme-format -msgid "I could not fetch a RDF graph at ~a (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1349 -#, scheme-format -msgid "~s is not a client manifest (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1352 -#, scheme-format -msgid "~s does not authorize redirection URI ~a" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1355 -msgid "I cannot serve a public manifest" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1357 -#, scheme-format -msgid "~a does not have a client manifest registration triple" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1360 -#, scheme-format -msgid "the client manifest at ~a is advertised for ~a" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1363 -#, scheme-format -msgid "I could not fetch the client manifest of ~a (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1366 -#, scheme-format -msgid "~s is not an authorization code (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1369 -#, scheme-format -msgid "~s is not an authorization code header (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1372 -#, scheme-format -msgid "~s is not an authorization code payload (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1375 -#, scheme-format -msgid "the current time is ~a, and the authorization code expired at ~a" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1379 -#, scheme-format -msgid "I cannot decode ~s as an authorization code (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1382 -#, scheme-format -msgid "I cannot encode ~s as an authorization code (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1385 -#, scheme-format -msgid "there is no such refresh token as ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1388 -#, scheme-format -msgid "" -"the refresh token is bound to a key confirmed as ~s, but it is used with key " -"~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1391 -#, scheme-format -msgid "I cannot decode ~s as an ID token (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1394 -#, scheme-format -msgid "I cannot encode ~s as an ID token (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1397 -#, scheme-format -msgid "the grant type ~s is not supported" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1400 -msgid "there is no authorization code in the request" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1402 -msgid "there is no refresh token in the request" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1404 -#, scheme-format -msgid "~s is not an ID token (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1407 -#, scheme-format -msgid "~s is not an ID token header (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1410 -#, scheme-format -msgid "~s is not an ID token payload (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1413 -#, scheme-format -msgid "" -"I couldn’t set the locale to ~s as an approximation of the client locale ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1416 -#, scheme-format -msgid "~s does not admit ~s as an identity provider" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1419 -#, scheme-format -msgid "" -"~a is neither an identity provider (because ~a) nor a webid (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1424 -#, scheme-format -msgid "the token request failed (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1427 -#, scheme-format -msgid "you don’t have a refresh token for identity ~a certified by ~a in ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1432 -#, scheme-format -msgid "all identity provider candidates for ~a failed: ~a" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1436 -#, scheme-format -msgid "~s failed (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1439 -msgid ", " -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1441 -#, scheme-format -msgid "no resource has been found to serve URI path ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1444 -#, scheme-format -msgid "the resource kind ~s is absent for the resource at ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1447 -#, scheme-format -msgid "no resource has been found to serve URI path ~s, but ~s exists" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1450 -msgid "the root storage cannot be deleted" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1452 -#, scheme-format -msgid "the container ~s should be emptied before being deleted" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1455 -#, scheme-format -msgid "the group ~s cannot be fetched (because ~a)" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1459 -#, scheme-format -msgid "the containment triples in the request to update ~s are not up to date" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1462 -#, scheme-format -msgid "the server cannot process resources with the ~s content-type" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1465 -#, scheme-format -msgid "" -"the client wants to create a resource at ~s, which is reserved for an " -"auxiliary resource" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1468 -#, scheme-format -msgid "" -"the operation on ~s by ~a is refused, because it’s not by ~s and the access " -"control forbids the following mode of operation: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1472 -msgid "an anonymous user" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1477 -#, scheme-format -msgid "" -"the client precondition failed for ~s: it allows for ~s, forbids ~s, but the " -"resource has a representation of ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1479 -#, scheme-format -msgid "" -"the client precondition failed for ~s: it allows for ~s, forbids ~s, but the " -"resource has no representation" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1482 -#, scheme-format -msgid "" -"the client wanted a response with a content type among ~s, but the resource " -"at ~s has content-type ~s which cannot be converted to one of them" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1489 -msgid "that’s it" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1493 -#, scheme-format -msgid "~a and ~a" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1496 -#, scheme-format -msgid "~a, ~a" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1500 -#, scheme-format -msgid "the signature ~a does not match key ~s with payload ~a" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1503 -#, scheme-format -msgid "the request failed unexpectedly with code ~a: ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1507 -msgid "there is an undefined variable" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1509 -#, scheme-format -msgid "the origin is ~a" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1512 -#, scheme-format -msgid "a message is attached: ~a" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1515 -#, scheme-format -msgid "the values ~s are problematic" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1518 -#, scheme-format -msgid "there is a kind (~s) and args ~s" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1521 -msgid "there is an assertion failure" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1523 -#, scheme-format -msgid "the program quits with code ~a" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1526 -msgid "the program cannot recover from this exception" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1528 -msgid "there is an external error" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1530 -msgid "there is an error" -msgstr "" - -#: src/scm/webid-oidc/errors.scm:1532 -#, scheme-format -msgid "Unhandled exception type ~a." -msgstr "" - -#: src/scm/webid-oidc/identity-provider.scm:70 -msgid "Warning: generating a new key pair." -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:45 -msgid "xml-lang|en" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:61 -msgid "page-title|Authorization" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:66 -msgid "Authorize this anonymous application?" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:67 -#, scheme-format -msgid "Authorize ~a?" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:69 -msgid "Do you want to authorize this application to represent you?" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:79 -msgid "Please retry your password:" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:80 -msgid "Please enter your password:" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:85 -msgid "Allow" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:91 -msgid "Bad request" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:96 -msgid "The application did not set the client_id parameter." -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:101 -msgid "The application did not set the redirect_uri parameter." -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:114 -#, scheme-format -msgid "the value ~s is not a base64 string." -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:117 -msgid "the following value is not JSON:" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:120 -msgid "the following value is not Turtle:" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:123 -#, scheme-format -msgid "" -"the server request unexpectedly failed with code ~a and reason phrase ~s." -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:128 -#, scheme-format -msgid "the header ~a should not have the value ~s.\n" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:130 -#, scheme-format -msgid "the header ~a should be present." -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:134 -msgid "the server response wasn’t expected:" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:143 -#, scheme-format -msgid "the client_id field is incorrect: ~s" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:144 -msgid "the client_id field is missing" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:153 -#, scheme-format -msgid "I could not fetch a RDF graph at ~a;" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:157 -msgid "this is not a client manifest:" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:162 -#, scheme-format -msgid "the manifest does not authorize redirection URI ~a:" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:167 -#, scheme-format -msgid "the client manifest at ~a is advertised for ~a;" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:172 -#, scheme-format -msgid "I could not fetch the client manifest of ~a;" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:177 -msgid "I could not issue an authorization code for you;" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:185 -msgid "" -"The application you are trying to authorize behaved unexpectedly. Here is " -"the explanation of the error:" -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:194 -msgid "Redirecting..." -msgstr "" - -#: src/scm/webid-oidc/authorization-page-unsafe.scm:199 -#, scheme-format -msgid "" -"~a can now log in on your behalf. You still need to adjust " -"permissions." -msgstr "" - -#: src/scm/webid-oidc/resource-server.scm:92 -#, scheme-format -msgid "~a: authentication failure: ~a\n" -msgstr "" - -#: src/scm/webid-oidc/resource-server.scm:275 -#, scheme-format -msgid "Warning: ~a\n" -msgstr "" - -#: src/scm/webid-oidc/hello-world.scm:48 src/scm/webid-oidc/example-app.scm:116 -#: src/scm/webid-oidc/program.scm:217 -msgid "command-line|version" -msgstr "" - -#: src/scm/webid-oidc/hello-world.scm:50 src/scm/webid-oidc/program.scm:221 -msgid "command-line|complete-corresponding-source" -msgstr "" - -#: src/scm/webid-oidc/hello-world.scm:52 src/scm/webid-oidc/program.scm:223 -msgid "command-line|help" -msgstr "" - -#: src/scm/webid-oidc/hello-world.scm:54 -msgid "command-line|port" -msgstr "" - -#: src/scm/webid-oidc/hello-world.scm:56 src/scm/webid-oidc/program.scm:253 -msgid "command-line|log-file" -msgstr "" - -#: src/scm/webid-oidc/hello-world.scm:58 src/scm/webid-oidc/program.scm:255 -msgid "command-line|error-file" -msgstr "" - -#: src/scm/webid-oidc/hello-world.scm:70 -#, scheme-format -msgid "" -"~a [OPTIONS]...\n" -"\n" -"Display your identity contained in the XXX-Agent header.\n" -"\n" -"This program is covered by the GNU Affero GPL, version 3 or\n" -"later. This license requires you to provide a way for any user over\n" -"the network to download the complete corresponding source code (with\n" -"your modifications) at no cost. The server adds a \"Source:\" header\n" -"to all responses.\n" -"\n" -"Options:\n" -" -S MEANS, --~a=MEANS:\n" -" specify a way to download the complete corresponding source\n" -" code. For instance, this would be an URI pointing to a tarball.\n" -" -h, --~a:\n" -" display this help message and exit.\n" -" -v, --~a:\n" -" display the version information (~a) and exit.\n" -" -p PORT, --~a=PORT:\n" -" set the port to bind.\n" -" -l FILE.log, --~a=FILE.log:\n" -" redirect the program standard output to FILE.log.\n" -" -e FILE.err, --~a=FILE.err:\n" -" redirect the program errors to FILE.err.\n" -msgstr "" - -#: src/scm/webid-oidc/hello-world.scm:103 -#: src/scm/webid-oidc/example-app.scm:159 -#, scheme-format -msgid "~a version ~a\n" -msgstr "" - -#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:607 -msgid "" -"You are legally required to link to the complete corresponding source code.\n" -msgstr "" - -#: src/scm/webid-oidc/hello-world.scm:123 -msgid "The port should be a number between 0 and 65535.\n" -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:51 -#, scheme-format -msgid "~a.\t~a, certified by ~a;\n" -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:62 -#, scheme-format -msgid "~a – ~a\n" -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:81 -#, scheme-format -msgid "I’m expecting a number between ~a and ~a.\n" -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:88 -msgid "Please enter an URI to GET: " -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:107 -#, scheme-format -msgid "Sending a request: ~s\n" -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:118 -msgid "comand-line|help" -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:126 -#, scheme-format -msgid "" -"Usage: ~a [OPTIONS]...\n" -"\n" -"Demonstrate a webid-oidc application.\n" -"\n" -"Options:\n" -" -h, --~a:\n" -" display this help message and exit.\n" -" -v, --~a:\n" -" display the version information (~a) and exit.\n" -"\n" -"Environment variables:\n" -"\n" -" LANG: set the locale. Currently ~a.\n" -"\n" -" XDG_CACHE_HOME: where the seed for the key generator is\n" -"stored. Currently ~a.\n" -"\n" -" XDG_DATA_HOME: where the login credentials are stored. Currently ~a.\n" -"\n" -" HOME: to compute a default value for XDG_CACHE_HOME and\n" -"XDG_DATA_HOME, if missing. Currently ~a.\n" -"\n" -"If you find a bug, send a report to ~a.\n" -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:163 -msgid "First, let’s log in. Here are your options:\n" -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:165 -msgid "0.\tLog in with a different identity.\n" -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:170 -#: src/scm/webid-oidc/example-app.scm:189 -msgid "Please indicate your choice number: " -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:175 -msgid "Please enter your webid, or identity server: " -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:185 -msgid "There are different possible identity providers for your webid:\n" -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:192 -#, scheme-format -msgid "" -"Please visit the following URI with a web browser:\n" -"~a\n" -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:194 -msgid "Please paste your authorization code: " -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:205 -#, scheme-format -msgid "" -"Log in success. Keep this identity token for yourself:\n" -"\n" -"~a\n" -"\n" -"Now, you can do authenticated request by presenting the following access " -"token:\n" -"\n" -"~a\n" -"\n" -"and signing DPoP proofs with the following key:\n" -"\n" -"~a\n" -msgstr "" - -#: src/scm/webid-oidc/example-app.scm:226 -#, scheme-format -msgid "There was an error: ~a\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:111 -#, scheme-format -msgid "~a: ~a: Internal server error: ~a\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:125 -#, scheme-format -msgid "" -"The client locale ~s can’t be approximated by system locale ~s (because ~a), " -"using C.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:149 -#, scheme-format -msgid "~a: ~s ~a ~s ~a\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:151 -#, scheme-format -msgid "~a: ~a (~a)" -msgstr "" - -#: src/scm/webid-oidc/program.scm:155 -#, scheme-format -msgid "~a: ~a" -msgstr "" - -#: src/scm/webid-oidc/program.scm:165 -#, scheme-format -msgid "(there was an error: ~a)" -msgstr "" - -#: src/scm/webid-oidc/program.scm:219 -msgid "command-line|describe-project" -msgstr "" - -#: src/scm/webid-oidc/program.scm:225 -msgid "command-line|server|port" -msgstr "" - -#: src/scm/webid-oidc/program.scm:227 -msgid "command-line|server|server-name" -msgstr "" - -#: src/scm/webid-oidc/program.scm:229 -msgid "command-line|server|reverse-proxy|backend-uri" -msgstr "" - -#: src/scm/webid-oidc/program.scm:231 -msgid "command-line|server|reverse-proxy|header" -msgstr "" - -#: src/scm/webid-oidc/program.scm:233 -msgid "command-line|server|issuer|key-file" -msgstr "" - -#: src/scm/webid-oidc/program.scm:235 -msgid "command-line|server|issuer|subject" -msgstr "" - -#: src/scm/webid-oidc/program.scm:237 -msgid "command-line|server|issuer|encrypted-password" -msgstr "" - -#: src/scm/webid-oidc/program.scm:239 -msgid "command-line|server|issuer|jwks-uri" -msgstr "" - -#: src/scm/webid-oidc/program.scm:241 -msgid "command-line|server|issuer|authorization-endpoint-uri" -msgstr "" - -#: src/scm/webid-oidc/program.scm:243 -msgid "command-line|server|issuer|token-endpoint-uri" -msgstr "" - -#: src/scm/webid-oidc/program.scm:245 -msgid "command-line|server|client-id" -msgstr "" - -#: src/scm/webid-oidc/program.scm:247 -msgid "command-line|server|redirect-uri" -msgstr "" - -#: src/scm/webid-oidc/program.scm:249 -msgid "command-line|server|client-name" -msgstr "" - -#: src/scm/webid-oidc/program.scm:251 -msgid "command-line|server|client-uri" -msgstr "" - -#: src/scm/webid-oidc/program.scm:284 -#, scheme-format -msgid "Usage: ~a COMMAND [OPTIONS]...\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:288 -msgid "" -"\n" -"Run the webid-oidc COMMAND." -msgstr "" - -#: src/scm/webid-oidc/program.scm:291 -msgid "" -"\n" -"This program is covered by the GNU Affero GPL, version 3 or\n" -"later. This license requires you to provide a way for any user over\n" -"the network to download the complete corresponding source code (with\n" -"your modifications) at no cost. The server adds a \"Source:\" header\n" -"to all responses." -msgstr "" - -#: src/scm/webid-oidc/program.scm:298 -msgid "" -"\n" -"Available commands:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:300 -#, scheme-format -msgid "" -"\n" -" ~a:\n" -" run an authenticating reverse proxy." -msgstr "" - -#: src/scm/webid-oidc/program.scm:303 src/scm/webid-oidc/program.scm:491 -#: src/scm/webid-oidc/program.scm:680 -msgid "command-line|command|reverse-proxy" -msgstr "" - -#: src/scm/webid-oidc/program.scm:304 -#, scheme-format -msgid "" -"\n" -" ~a:\n" -" run an identity provider." -msgstr "" - -#: src/scm/webid-oidc/program.scm:307 src/scm/webid-oidc/program.scm:516 -#: src/scm/webid-oidc/program.scm:702 -msgid "command-line|command|identity-provider" -msgstr "" - -#: src/scm/webid-oidc/program.scm:308 -#, scheme-format -msgid "" -"\n" -" ~a:\n" -" serve the pages for a public application." -msgstr "" - -#: src/scm/webid-oidc/program.scm:311 src/scm/webid-oidc/program.scm:537 -#: src/scm/webid-oidc/program.scm:746 -msgid "command-line|command|client-service" -msgstr "" - -#: src/scm/webid-oidc/program.scm:312 -#, scheme-format -msgid "" -"\n" -" ~a:\n" -" run a full server, with identity provider and resource storage\n" -" facility." -msgstr "" - -#: src/scm/webid-oidc/program.scm:316 src/scm/webid-oidc/program.scm:563 -#: src/scm/webid-oidc/program.scm:775 -msgid "command-line|command|server" -msgstr "" - -#: src/scm/webid-oidc/program.scm:318 -msgid "" -"\n" -"General options:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:320 -#, scheme-format -msgid "" -"\n" -" -S MEANS, --~a=MEANS:\n" -" specify a way to download the complete corresponding source\n" -" code. For instance, this would be an URI pointing to a tarball." -msgstr "" - -#: src/scm/webid-oidc/program.scm:325 -#, scheme-format -msgid "" -"\n" -" -h, --~a:\n" -" display a short help message and exit." -msgstr "" - -#: src/scm/webid-oidc/program.scm:329 -#, scheme-format -msgid "" -"\n" -" -v, --~a:\n" -" display the version information (~a, released ~a) and exit." -msgstr "" - -#: src/scm/webid-oidc/program.scm:335 -#, scheme-format -msgid "" -"\n" -" --~a:\n" -" describe the project in the DOAP vocabulary and exit." -msgstr "" - -#: src/scm/webid-oidc/program.scm:339 -#, scheme-format -msgid "" -"\n" -" -l FILE.log, --~a=FILE.log:\n" -" redirect the program standard output to FILE.log." -msgstr "" - -#: src/scm/webid-oidc/program.scm:343 -#, scheme-format -msgid "" -"\n" -" -e FILE.err, --~a=FILE.err:\n" -" redirect the program errors to FILE.err." -msgstr "" - -#: src/scm/webid-oidc/program.scm:348 -msgid "" -"\n" -"General server-side options:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:350 -#, scheme-format -msgid "" -"\n" -" -p PORT, --~a=PORT:\n" -" set the server port to bind, 8080 by default." -msgstr "" - -#: src/scm/webid-oidc/program.scm:354 -#, scheme-format -msgid "" -"\n" -" -n URI, --~a=URI:\n" -" set the public server URI (scheme, userinfo, host, and port)." -msgstr "" - -#: src/scm/webid-oidc/program.scm:359 -msgid "" -"\n" -"Options for the resource server:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:361 -#, scheme-format -msgid "" -"\n" -" -H HEADER, --~a=HEADER:\n" -" the HEADER field contains the webid of the authenticated user,\n" -" XXX-Agent by default. For the full server, disable webid-oidc\n" -" authentication." -msgstr "" - -#: src/scm/webid-oidc/program.scm:367 -#, scheme-format -msgid "" -"\n" -" -b URI, --~a=URI:\n" -" set the backend URI for the reverse proxy, only for the\n" -" reverse-proxy command." -msgstr "" - -#: src/scm/webid-oidc/program.scm:373 -msgid "" -"\n" -"Options for the identity provider:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:375 -#, scheme-format -msgid "" -"\n" -" -k FILE, --~a=FILE.jwk:\n" -" set the file name of the key file. If it does not exist, a new\n" -" key is generated. The server does not offer an HTTPS service." -msgstr "" - -#: src/scm/webid-oidc/program.scm:380 -#, scheme-format -msgid "" -"\n" -" -s WEBID, --~a=WEBID:\n" -" set the identity of the subject." -msgstr "" - -#: src/scm/webid-oidc/program.scm:384 -#, scheme-format -msgid "" -"\n" -" -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD:\n" -" set the encrypted password to recognize the user." -msgstr "" - -#: src/scm/webid-oidc/program.scm:388 -#, scheme-format -msgid "" -"\n" -" -j URI, --~a=URI:\n" -" set the URI to query the key of the server." -msgstr "" - -#: src/scm/webid-oidc/program.scm:392 -#, scheme-format -msgid "" -"\n" -" -a URI, --~a=URI:\n" -" set the authorization endpoint of the issuer." -msgstr "" - -#: src/scm/webid-oidc/program.scm:396 -#, scheme-format -msgid "" -"\n" -" -t URI, --~a=URI:\n" -" set the token endpoint of the issuer." -msgstr "" - -#: src/scm/webid-oidc/program.scm:401 -msgid "" -"\n" -"Options for the client service:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:403 -#, scheme-format -msgid "" -"\n" -" -c URI, --~a=URI:\n" -" set the web identifier of the client application, which is\n" -" dereferenced to a semantic resource." -msgstr "" - -#: src/scm/webid-oidc/program.scm:408 -#, scheme-format -msgid "" -"\n" -" -r URI, --~a=URI:\n" -" set the redirection URI to get the authorization code back. The\n" -" page is presented with the code to paste in the application." -msgstr "" - -#: src/scm/webid-oidc/program.scm:413 -#, scheme-format -msgid "" -"\n" -" -C NAME, --~a=NAME:\n" -" set the user-visible application name (may be misleading...)." -msgstr "" - -#: src/scm/webid-oidc/program.scm:417 -#, scheme-format -msgid "" -"\n" -" -u URI, --~a=URI:\n" -" set an URI where someone would find more information about the\n" -" application (again, may be misleading)." -msgstr "" - -#: src/scm/webid-oidc/program.scm:423 -msgid "" -"\n" -"Environment variables:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:425 -msgid "" -"\n" -" XML_CATALOG_FILES: the server will fetch resources on the web. By\n" -" setting this environment variable to a space-separated list of\n" -" catalog URIs, the server will redirect these requests to another\n" -" server. Currently, it is not possible to load files from the\n" -" file system, because there is no way to specify the\n" -" content-type." -msgstr "" - -#: src/scm/webid-oidc/program.scm:433 src/scm/webid-oidc/program.scm:440 -#: src/scm/webid-oidc/program.scm:449 src/scm/webid-oidc/program.scm:457 -#: src/scm/webid-oidc/program.scm:465 -#, scheme-format -msgid "" -"the-environment-variable|\n" -" It is currently set to ~s." -msgstr "" - -#: src/scm/webid-oidc/program.scm:436 -msgid "" -"\n" -" LANG: set the locale of the user interface (for the server commands,\n" -" the user is the system administrator)." -msgstr "" - -#: src/scm/webid-oidc/program.scm:443 -msgid "" -"\n" -" XDG_DATA_HOME: where the program stores persistent data. The\n" -" identity provider stores the refresh tokens. The full server\n" -" stores the resources there. For a system service, it is\n" -" recommended to set it to /var/lib." -msgstr "" - -#: src/scm/webid-oidc/program.scm:452 -msgid "" -"\n" -" XDG_CACHE_HOME: where the program stores and updates the seed file,\n" -" and the web client cache. You can remove this directory at any\n" -" time. The seed file will be initialized from /dev/random." -msgstr "" - -#: src/scm/webid-oidc/program.scm:460 -msgid "" -"\n" -" HOME: if XDG_DATA_HOME or XDG_CACHE_HOME is not set, they are\n" -" computed from the value of the HOME environment variable. It is\n" -" not used otherwise." -msgstr "" - -#: src/scm/webid-oidc/program.scm:469 -msgid "" -"\n" -"Running a reverse proxy" -msgstr "" - -#: src/scm/webid-oidc/program.scm:471 -msgid "" -"\n" -"Suppose that you operate data.provider.com. You want to run an\n" -"authenticating reverse proxy, that will receive incoming requests\n" -"through http://localhost:8080, and forward them to\n" -"https://private.data.provider.com. The backend will look for the\n" -"XXX-Agent header, and if it is found, then its value will be\n" -"considered the webid of the authenticated\n" -"user. https://private.data.provider.com should only accept requests\n" -"from this reverse proxy." -msgstr "" - -#: src/scm/webid-oidc/program.scm:481 -#, scheme-format -msgid "" -"\n" -" ~a ~a \\\n" -" --~a 'https://data.provider.com/server-source-code.tar.gz' \\\n" -" --~a 8080 \\\n" -" --~a 'https://data.provider.com' \\\n" -" --~a 'https://private.data.provider.com' \\\n" -" --~a 'XXX-Agent' \\\n" -" --~a '/var/log/proxy.log' \\\n" -" --~a '/var/log/proxy.err'" -msgstr "" - -#: src/scm/webid-oidc/program.scm:496 -msgid "" -"\n" -"Running an identity provider" -msgstr "" - -#: src/scm/webid-oidc/program.scm:498 -msgid "" -"\n" -"The identity provider running at webid-oidc-demo.planete-kraus.eu is\n" -"invoked with the following options:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:502 -#, scheme-format -msgid "" -"\n" -" export XDG_DATA_HOME=/var/lib\n" -" export XDG_CACHE_HOME=/var/cache\n" -" ~a ~a \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" -"source.tar.gz' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n" -" --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n" -" --~a \"$ENCRYPTED_PASSWORD\" \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n" -" --~a $PORT" -msgstr "" - -#: src/scm/webid-oidc/program.scm:522 -msgid "" -"\n" -"Running the public pages for an application" -msgstr "" - -#: src/scm/webid-oidc/program.scm:524 -msgid "" -"\n" -"The example client application pages for\n" -"webid-oidc-demo.planete-kraus.eu are served this way:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:528 -#, scheme-format -msgid "" -"\n" -" ~a ~a \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" -"source.tar.gz' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/example-application#id' " -"\\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\\n" -" --~a 'Example Solid Application' \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client." -"html#Running-a-client' \\\n" -" --~a $PORT" -msgstr "" - -#: src/scm/webid-oidc/program.scm:542 -msgid "" -"\n" -"Running a full server" -msgstr "" - -#: src/scm/webid-oidc/program.scm:545 -msgid "" -"\n" -"To run the server with identity provider and\n" -"resource server for one particular user, you need to combine the\n" -"options for the parts." -msgstr "" - -#: src/scm/webid-oidc/program.scm:549 -#, scheme-format -msgid "" -"\n" -" export XDG_DATA_HOME=/var/lib\n" -" export XDG_CACHE_HOME=/var/cache\n" -" ~a ~a \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" -"source.tar.gz' \\\n" -" --~a 'https://data.planete-kraus.eu' \\\n" -" --~a '/var/lib/webid-oidc/server/key.jwk' \\\n" -" --~a 'https://data.planete-kraus.eu/vivien#me' \\\n" -" --~a '$...alg...$...salt...$...hash...' \\\n" -" --~a 'https://data.planete-kraus.eu/keys' \\\n" -" --~a 'https://data.planete-kraus.eu/authorize' \\\n" -" --~a 'https://data.planete-kraus.eu/token' \\\n" -" --~a '...port...'" -msgstr "" - -#: src/scm/webid-oidc/program.scm:574 -#, scheme-format -msgid "" -"\n" -"If you find a bug, then please send a report to ~a." -msgstr "" - -#: src/scm/webid-oidc/program.scm:579 -#, scheme-format -msgid "~a version ~a, released ~a\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:614 -#, scheme-format -msgid "The --~a argument must be a number, not ~s.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:620 -#, scheme-format -msgid "The --~a argument must be an integer, not ~s.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:626 -#, scheme-format -msgid "The --~a argument must be positive, ~s is invalid.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:631 -#, scheme-format -msgid "The --~a argument must be less than 65536, ~s is invalid.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:673 -#, scheme-format -msgid "" -"Usage: ~a COMMAND [OPTIONS]...\n" -"See --~a (-h).\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:683 src/scm/webid-oidc/program.scm:705 -#: src/scm/webid-oidc/program.scm:777 -#, scheme-format -msgid "You must pass --~a to set the server name.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:687 -#, scheme-format -msgid "You must pass --~a to set the backend URI.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:709 src/scm/webid-oidc/program.scm:781 -#, scheme-format -msgid "" -"You must pass --~a to set the file where to store the identity provider " -"key.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:713 src/scm/webid-oidc/program.scm:785 -#, scheme-format -msgid "You must pass --~a to set the subject of the identity provider.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:717 src/scm/webid-oidc/program.scm:789 -#, scheme-format -msgid "You must pass --~a to set the subject’s encrypted password.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:721 src/scm/webid-oidc/program.scm:793 -#, scheme-format -msgid "You must pass --~a to set the JWKS URI.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:725 src/scm/webid-oidc/program.scm:797 -#, scheme-format -msgid "You must pass --~a to set the authorization endpoint URI.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:729 src/scm/webid-oidc/program.scm:801 -#, scheme-format -msgid "You must pass --~a to set the token endpoint URI.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:749 -#, scheme-format -msgid "You must pass --~a to set the application web ID.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:753 -#, scheme-format -msgid "You must pass --~a to set the redirection URI.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:757 -#, scheme-format -msgid "You must pass --~a to set the informative client name.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:761 -#, scheme-format -msgid "You must pass --~a to set the informative client URI.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:848 -#, scheme-format -msgid "Unknown command ~s\n" -msgstr "" diff --git a/pre-inst-env.in b/pre-inst-env.in index f1323c9..14f4625 100755 --- a/pre-inst-env.in +++ b/pre-inst-env.in @@ -1,6 +1,6 @@ #!@SHELL@ -# webid-oidc, implementation of the Solid specification +# disfluid, implementation of the Solid specification # Copyright (C) 2020, 2021 Vivien Kraus # This program is free software: you can redistribute it and/or modify diff --git a/src/Makefile.am b/src/Makefile.am index 930fe01..f30840e 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,4 +1,4 @@ -# webid-oidc, implementation of the Solid specification +# disfluid, implementation of the Solid specification # Copyright (C) 2020, 2021 Vivien Kraus # This program is free software: you can redistribute it and/or modify @@ -16,7 +16,7 @@ lib_LTLIBRARIES += %reldir%/libwebidoidc.la -dist_bin_SCRIPTS += %reldir%/webid-oidc %reldir%/webid-oidc-hello %reldir%/webid-oidc-example-app +dist_bin_SCRIPTS += %reldir%/disfluid %reldir%/disfluid-hello %reldir%/disfluid-example-app AM_CPPFLAGS += -I %reldir% -I $(srcdir)/%reldir% diff --git a/src/disfluid b/src/disfluid new file mode 100755 index 0000000..e596dd6 --- /dev/null +++ b/src/disfluid @@ -0,0 +1,23 @@ +#!/usr/local/bin/guile \ +--no-auto-compile -s +!# + +;; disfluid, implementation of the Solid specification +;; Copyright (C) 2020, 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see . + +(use-modules (webid-oidc program)) + +(main) diff --git a/src/disfluid-example-app b/src/disfluid-example-app new file mode 100755 index 0000000..4c2a7d6 --- /dev/null +++ b/src/disfluid-example-app @@ -0,0 +1,23 @@ +#!/usr/local/bin/guile \ +--no-auto-compile -s +!# + +;; disfluid, implementation of the Solid specification +;; Copyright (C) 2020, 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see . + +(use-modules (webid-oidc example-app)) + +(main) diff --git a/src/disfluid-hello b/src/disfluid-hello new file mode 100755 index 0000000..03795f1 --- /dev/null +++ b/src/disfluid-hello @@ -0,0 +1,23 @@ +#!/usr/local/bin/guile \ +--no-auto-compile -s +!# + +;; disfluid, implementation of the Solid specification +;; Copyright (C) 2020, 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see . + +(use-modules (webid-oidc hello-world)) + +(main) diff --git a/src/random/random.c b/src/random/random.c index 9c2faf3..fad151d 100644 --- a/src/random/random.c +++ b/src/random/random.c @@ -1,5 +1,5 @@ /* - webid-oidc, implementation of the Solid specification + disfluid, implementation of the Solid specification Copyright (C) 2020, 2021 Vivien Kraus This program is free software: you can redistribute it and/or modify @@ -201,7 +201,7 @@ webid_oidc_random_init (void) char *cache_dir, *pkg_cache_dir, *filename; char *home = getenv ("HOME"); char *xdg_cache_home = getenv ("XDG_CACHE_HOME"); - char *application = getenv ("WEBID_OIDC_APPLICATION_NAME"); + char *application = getenv ("DISFLUID_APPLICATION_NAME"); static const char *default_application = PACKAGE; FILE *seed_file; FILE *system_rng_file; diff --git a/src/scm/webid-oidc/cache.scm b/src/scm/webid-oidc/cache.scm index 8b8c480..dbf0112 100644 --- a/src/scm/webid-oidc/cache.scm +++ b/src/scm/webid-oidc/cache.scm @@ -1,4 +1,4 @@ -;; webid-oidc, implementation of the Solid specification +;; disfluid, implementation of the Solid specification ;; Copyright (C) 2020, 2021 Vivien Kraus ;; This program is free software: you can redistribute it and/or modify @@ -52,7 +52,7 @@ (let ((xdg-cache-home (or (getenv "XDG_CACHE_HOME") (format #f "~a/.cache" (getenv "HOME"))))) - (format #f "~a/webid-oidc" xdg-cache-home))) + (format #f "~a/disfluid" xdg-cache-home))) (define (web-cache-dir dir) (when (thunk? dir) diff --git a/src/scm/webid-oidc/client.scm b/src/scm/webid-oidc/client.scm index 83bca37..e8796c0 100644 --- a/src/scm/webid-oidc/client.scm +++ b/src/scm/webid-oidc/client.scm @@ -1,4 +1,4 @@ -;; webid-oidc, implementation of the Solid specification +;; disfluid, implementation of the Solid specification ;; Copyright (C) 2020, 2021 Vivien Kraus ;; This program is free software: you can redistribute it and/or modify @@ -259,7 +259,7 @@ (getenv "XDG_DATA_HOME") (format #f "~a/.local/share" (getenv "HOME"))))) - (format #f "~a/webid-oidc" xdg-data-home))) + (format #f "~a/disfluid" xdg-data-home))) (define*-public (list-profiles #:key (dir default-dir)) (when (thunk? dir) diff --git a/src/scm/webid-oidc/example-app.scm b/src/scm/webid-oidc/example-app.scm index 8d11c73..f0fcdd3 100644 --- a/src/scm/webid-oidc/example-app.scm +++ b/src/scm/webid-oidc/example-app.scm @@ -1,4 +1,4 @@ -;; webid-oidc, implementation of the Solid specification +;; disfluid, implementation of the Solid specification ;; Copyright (C) 2020, 2021 Vivien Kraus ;; This program is free software: you can redistribute it and/or modify diff --git a/src/scm/webid-oidc/program.scm b/src/scm/webid-oidc/program.scm index 4fbc34a..4d469f3 100644 --- a/src/scm/webid-oidc/program.scm +++ b/src/scm/webid-oidc/program.scm @@ -1,4 +1,4 @@ -;; webid-oidc, implementation of the Solid specification +;; disfluid, implementation of the Solid specification ;; Copyright (C) 2020, 2021 Vivien Kraus ;; This program is free software: you can redistribute it and/or modify @@ -286,7 +286,7 @@ (car (command-line))) (format #t (G_ " -Run the webid-oidc COMMAND.")) +Run the disfluid COMMAND.")) (format #t "\n") (format #t (G_ " This program is covered by the GNU Affero GPL, version 3 or @@ -361,7 +361,7 @@ Options for the resource server:")) (format #t (G_ " -H HEADER, --~a=HEADER: the HEADER field contains the webid of the authenticated user, - XXX-Agent by default. For the full server, disable webid-oidc + XXX-Agent by default. For the full server, disable Solid-OIDC authentication.") header-sym) (format #t (G_ " @@ -552,7 +552,7 @@ options for the parts.")) ~a ~a \\ --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-source.tar.gz' \\ --~a 'https://data.planete-kraus.eu' \\ - --~a '/var/lib/webid-oidc/server/key.jwk' \\ + --~a '/var/lib/disfluid/server/key.jwk' \\ --~a 'https://data.planete-kraus.eu/vivien#me' \\ --~a '$...alg...$...salt...$...hash...' \\ --~a 'https://data.planete-kraus.eu/keys' \\ diff --git a/src/scm/webid-oidc/refresh-token.scm b/src/scm/webid-oidc/refresh-token.scm index f9ceada..34b2f1b 100644 --- a/src/scm/webid-oidc/refresh-token.scm +++ b/src/scm/webid-oidc/refresh-token.scm @@ -1,4 +1,4 @@ -;; webid-oidc, implementation of the Solid specification +;; disfluid, implementation of the Solid specification ;; Copyright (C) 2020, 2021 Vivien Kraus ;; This program is free software: you can redistribute it and/or modify @@ -28,7 +28,7 @@ (getenv "XDG_DATA_HOME") (format #f "~a/.local/share" (getenv "HOME"))))) - (format #f "~a/webid-oidc" xdg-data-home))) + (format #f "~a/disfluid" xdg-data-home))) (define*-public (list-refresh-tokens #:key diff --git a/src/scm/webid-oidc/testing.scm b/src/scm/webid-oidc/testing.scm index f6a5b16..0aec4b8 100644 --- a/src/scm/webid-oidc/testing.scm +++ b/src/scm/webid-oidc/testing.scm @@ -28,7 +28,7 @@ (catch #t (lambda () (mkdir cache-dir)) (lambda err #t)) - (let ((pkg-cache-dir (format #f "~a/webid-oidc" cache-dir))) + (let ((pkg-cache-dir (format #f "~a/disfluid" cache-dir))) (catch #t (lambda () (mkdir pkg-cache-dir)) (lambda err #t)) diff --git a/src/webid-oidc b/src/webid-oidc deleted file mode 100755 index 765f62c..0000000 --- a/src/webid-oidc +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/local/bin/guile \ ---no-auto-compile -s -!# - -;; webid-oidc, implementation of the Solid specification -;; Copyright (C) 2020, 2021 Vivien Kraus - -;; This program is free software: you can redistribute it and/or modify -;; it under the terms of the GNU Affero General Public License as -;; published by the Free Software Foundation, either version 3 of the -;; License, or (at your option) any later version. - -;; This program is distributed in the hope that it will be useful, -;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;; GNU Affero General Public License for more details. - -;; You should have received a copy of the GNU Affero General Public License -;; along with this program. If not, see . - -(use-modules (webid-oidc program)) - -(main) diff --git a/src/webid-oidc-example-app b/src/webid-oidc-example-app deleted file mode 100755 index efa22a0..0000000 --- a/src/webid-oidc-example-app +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/local/bin/guile \ ---no-auto-compile -s -!# - -;; webid-oidc, implementation of the Solid specification -;; Copyright (C) 2020, 2021 Vivien Kraus - -;; This program is free software: you can redistribute it and/or modify -;; it under the terms of the GNU Affero General Public License as -;; published by the Free Software Foundation, either version 3 of the -;; License, or (at your option) any later version. - -;; This program is distributed in the hope that it will be useful, -;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;; GNU Affero General Public License for more details. - -;; You should have received a copy of the GNU Affero General Public License -;; along with this program. If not, see . - -(use-modules (webid-oidc example-app)) - -(main) diff --git a/src/webid-oidc-hello b/src/webid-oidc-hello deleted file mode 100755 index ea9d407..0000000 --- a/src/webid-oidc-hello +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/local/bin/guile \ ---no-auto-compile -s -!# - -;; webid-oidc, implementation of the Solid specification -;; Copyright (C) 2020, 2021 Vivien Kraus - -;; This program is free software: you can redistribute it and/or modify -;; it under the terms of the GNU Affero General Public License as -;; published by the Free Software Foundation, either version 3 of the -;; License, or (at your option) any later version. - -;; This program is distributed in the hope that it will be useful, -;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;; GNU Affero General Public License for more details. - -;; You should have received a copy of the GNU Affero General Public License -;; along with this program. If not, see . - -(use-modules (webid-oidc hello-world)) - -(main) diff --git a/tests/acl.scm b/tests/acl.scm index 8263339..3d76c54 100644 --- a/tests/acl.scm +++ b/tests/acl.scm @@ -47,7 +47,7 @@ (false-if-exception (delete-file (string-append - "tests/direct-acl.home/webid-oidc/server/content/" + "tests/direct-acl.home/disfluid/server/content/" f)))) '("6/8OMG_V5x-KmI6TI" "X/hqM_2Avn5_egTzs" diff --git a/tests/crud.scm b/tests/crud.scm index 17a0ac4..40ec7b1 100644 --- a/tests/crud.scm +++ b/tests/crud.scm @@ -39,7 +39,7 @@ (false-if-exception (delete-file (string-append - "tests/crud.home/webid-oidc/server/content/" + "tests/crud.home/disfluid/server/content/" f)))) '("6/8OMG_V5x-KmI6TI" "X/hqM_2Avn5_egTzs" @@ -63,7 +63,7 @@ (false-if-exception (delete-file (string-append - "tests/crud.home/webid-oidc/server/path/" + "tests/crud.home/disfluid/server/path/" f)))) '("L/uhr1159jdGYjIj_tpM6FDiW4rUZDQQKUnT35lhAR-s" "8/jgewChguz6YRPCTBOkx_9CW94iH_X88rP6Os4aM8jg" diff --git a/tests/server-content.scm b/tests/server-content.scm index 24ecfe9..bb32be4 100644 --- a/tests/server-content.scm +++ b/tests/server-content.scm @@ -30,10 +30,10 @@ (lambda () (false-if-exception ;; This is the etag of the root with the seed of the test - (delete-file "tests/server-content.home/webid-oidc/server/content/6/8OMG_V5x-KmI6TI")) + (delete-file "tests/server-content.home/disfluid/server/content/6/8OMG_V5x-KmI6TI")) (false-if-exception ;; This is the etag of /wtf - (delete-file "tests/server-content.home/webid-oidc/server/content/X/hqM_2Avn5_egTzs")) + (delete-file "tests/server-content.home/disfluid/server/content/X/hqM_2Avn5_egTzs")) (receive (/ /wtf) (with-session (lambda (content-type contained static-content create delete) diff --git a/update-channel.scm b/update-channel.scm index dc5cafd..55eaa8a 100644 --- a/update-channel.scm +++ b/update-channel.scm @@ -1,4 +1,4 @@ -;; webid-oidc, implementation of the Solid specification +;; disfluid, implementation of the Solid specification ;; Copyright (C) 2020, 2021 Vivien Kraus ;; This program is free software: you can redistribute it and/or modify @@ -78,18 +78,18 @@ tmp-dirname (invoke git "rm" "-f" "-r" "--ignore-unmatch" ".") (copy-recursively interned-modules "." #:follow-symlinks? #t) - (chmod "vkraus/packages/webid-oidc.scm" #o644) - (let ((port (open-file "vkraus/packages/webid-oidc.scm" "a"))) - (write `(define-public webid-oidc - (webid-oidc-release ,version ,release-date ,commit ,hash)) + (chmod "vkraus/packages/disfluid.scm" #o644) + (let ((port (open-file "vkraus/packages/disfluid.scm" "a"))) + (write `(define-public disfluid + (disfluid-release ,version ,release-date ,commit ,hash)) port) (display "\n" port) - (write `(define-public webid-oidc-html - (webid-oidc-htmlize webid-oidc)) + (write `(define-public disfluid-html + (disfluid-htmlize disfluid)) port) (display "\n" port) - (write `(define-public webid-oidc:website - (make-website webid-oidc)) + (write `(define-public disfluid:website + (make-website disfluid)) port) (display "\n" port) (close-port port)) -- cgit v1.2.3