nostr-solid-auth

🔐 Nostr-Solid Auth

A browser extension that enables zero-redirect authentication to Solid servers using Nostr cryptographic keys (NIP-98).

Features

Zero OAuth Redirects - Authenticate instantly without leaving the page 🔑 Uses Existing Nostr Keys - Works with nos2x, Alby, and other NIP-07 providers 🎯 did:nostr Identity - Proper 64-char hex format for DID resolution 🛡️ Secure by Design - Never touches your private keys, NIP-07 only 🌈 Beautiful UI - Soft gradients and light theme ⚡ Auto-Sign - Optional automatic signing for trusted sites

How It Works

  1. Intercepts 401 responses from Solid servers
  2. Prompts for trust on first visit to a domain
  3. Signs HTTP auth events using your Nostr provider (nos2x, Alby, etc.)
  4. Retries with Authorization header - seamless access!

Traditional Solid-OIDC Flow

Request → 401 → IdP Redirect → Login → Auth Code → Token Exchange → Access

With Nostr-Solid Auth

Request → 401 → Sign Event → Access ✨

Prerequisites

You must have a NIP-07 Nostr provider installed:

Installation

Chrome/Edge/Brave

  1. Clone this repository: 
    git clone https://github.com/JavaScriptSolidServer/nostr-solid-auth.git
cd nostr-solid-auth

  2. Open Chrome and navigate to chrome://extensions/

  3. Enable Developer mode (toggle in top right)

  4. Click Load unpacked

  5. Select the nostr-solid-auth directory

  6. The extension icon should appear in your toolbar! 🎉

Firefox

  1. Clone the repository (same as above)

  2. Navigate to about:debugging#/runtime/this-firefox

  3. Click Load Temporary Add-on

  4. Select the manifest.json file

Usage

First Time Setup

  1. Install a Nostr provider extension (nos2x, Alby, etc.)
  2. Visit a Solid server with protected resources
  3. The extension will prompt you to trust the origin
  4. Click “OK” - your Nostr provider will sign the auth event
  5. Access granted! ✨

Managing Trusted Sites

Click the extension icon to:

Technical Details

NIP-98 HTTP Authentication

The extension implements NIP-98 HTTP Auth:

{
  "kind": 27235,  // HTTP Auth event
  "created_at": 1704451200,
  "tags": [
    ["u", "https://example.com/resource"],  // Full URL
    ["method", "GET"]  // HTTP method
  ],
  "content": ""
}

Authorization header format:

Authorization: Nostr <base64-encoded-signed-event>

DID:Nostr Format

Public keys are validated as 64-character hexadecimal strings:

// Valid
const pubkey = "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d";
const did = `did:nostr:${pubkey}`;
// did:nostr:3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d

Security

Server-Side Support

Your Solid server must support NIP-98 authentication. See the server implementation in JavaScriptSolidServer.

Example server-side validation:

// Extract and decode Authorization header
const authHeader = request.headers.authorization;
if (authHeader?.startsWith('Nostr ')) {
  const eventBase64 = authHeader.substring(6);
  const event = JSON.parse(atob(eventBase64));

  // Validate event
  // 1. Verify signature
  // 2. Check kind === 27235
  // 3. Match URL and method
  // 4. Check timestamp (< 60 seconds old)
  // 5. Verify pubkey is 64-char hex

  // Resolve identity
  const did = `did:nostr:${event.pubkey}`;
  // Map to WebID via did:nostr resolver
}

Architecture

┌─────────────────────────────────────────────────┐
│  Browser Tab                                    │
│  ┌───────────────────────────────────────────┐  │
│  │ Content Script (content.js)               │  │
│  │ - Detects 401 responses                   │  │
│  │ - Shows trust prompts                     │  │
│  │ - Calls window.nostr.signEvent()          │  │
│  │ - Generates Authorization headers         │  │
│  └───────────────────────────────────────────┘  │
└─────────────────────────────────────────────────┘
                     ↕
┌─────────────────────────────────────────────────┐
│  Background Service Worker (background.js)      │
│  - Intercepts webRequest events                 │
│  - Manages trusted origins storage              │
│  - Validates 64-char hex pubkeys                │
│  - Coordinates auth flow                        │
└─────────────────────────────────────────────────┘
                     ↕
┌─────────────────────────────────────────────────┐
│  NIP-07 Provider (nos2x, Alby, etc.)            │
│  - Stores private keys securely                 │
│  - Signs events via window.nostr.signEvent()    │
│  - Returns 64-char hex pubkey                   │
└─────────────────────────────────────────────────┘

Development

Project Structure

nostr-solid-auth/
├── manifest.json       # Extension manifest (MV3)
├── background.js       # Service worker (401 detection)
├── content.js          # Content script (NIP-07 bridge)
├── popup.html          # Popup UI
├── popup.js            # Popup logic
├── icons/              # Extension icons
│   ├── icon16.png
│   ├── icon48.png
│   └── icon128.png
└── README.md

Testing

  1. Load the extension in Chrome
  2. Install nos2x or Alby
  3. Visit a Solid server with protected resources
  4. Open DevTools Console to see logs: 
    [Nostr-Solid Auth] Extension installed
[Nostr-Solid Auth] Detected 401 response: https://...
[Nostr-Solid Auth] Auth required for: https://...

Key Validation

The extension validates all public keys to ensure proper did:nostr format:

function isValidNostrPubkey(pubkey) {
  if (typeof pubkey !== 'string') return false;
  if (pubkey.length !== 64) return false;
  return /^[0-9a-fA-F]{64}$/.test(pubkey);
}

Roadmap

Phase 1: MVP ✅

Phase 2: Enhanced UX

Phase 3: Ecosystem

Phase 4: Advanced

Contributing

Contributions welcome! Please:

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

Resources

License

MIT

Credits

Built with 💜 for the Solid and Nostr ecosystems.

Part of the JavaScriptSolidServer project.