Summary

WebID-TLS authentication fails with HTML profiles that have embedded JSON-LD due to two issues in src/auth/webid-tls.js.

Issues Found

1. Accept header priority ignored by conneg

Line 142:

'Accept': 'application/ld+json, text/turtle, application/json'

JSS conneg returns text/turtle even when application/ld+json is listed first. When Turtle is returned, the keys are separate nodes not linked from #me via cert:key, causing verification to fail.

Fix: Change to 'Accept': 'text/html' to get the HTML with embedded JSON-LD.

2. JSON-LD regex too strict

Line 160:

/<script\s+type=["']application\/ld\+json["']\s*>([\s\S]*?)<\/script>/i

This regex expects the > immediately after the type attribute (with optional whitespace). It fails when there are additional attributes like id="me":

<script type="application/ld+json" id="me">

Fix: Use more flexible regex:

/<script[^>]*type=["']application\/ld\+json["'][^>]*>([\s\S]*?)<\/script>/i

3. @id references not dereferenced

The code in extractCertKeys looks for cert:key on the #me node and passes each key object to parseKeyObject. However, if cert:key contains @id references like:

"http://www.w3.org/ns/auth/cert#key": [
  { "@id": "#key1" },
  { "@id": "#key2" }
]

The parseKeyObject function won't find cert:modulus/cert:exponent because they're on the referenced nodes, not inline.

Workaround: Add inline modulus/exponent to the key references in the profile.

Proper fix: Dereference @id pointers to find the actual key objects in the JSON-LD graph.

Environment

• JSS v0.0.75
• Node.js v22.21.1