Problem
solid-oidc requires modern Web Crypto: crypto.randomUUID (state/nonce/PKCE verifier) and crypto.subtle (SHA-256 digest for the PKCE code_challenge, plus DPoP key-gen/sign). Both are gated to Chromium 92+ and secure contexts.
On browsers that lack them, sign-in dies at the first call with a cryptic:
crypto.randomUUID is not a function
…with no hint of the real cause. Two common situations hit this:
- De-Googled Android phones (LineageOS/pmOS without GApps) — the Android System WebView is stale because it normally updates via the Play Store, which isn't installed. So the default browsing surface can be an old Chromium lacking
randomUUID/subtle.
- Non-secure contexts — a pod accessed over
http://<lan-ip>:port (not localhost, not HTTPS) → crypto.subtle/randomUUID are undefined even on a modern browser.
This is the path made strict by #5 (jose → Web Crypto) — great for zero-deps, but it now hard-requires modern + secure-context crypto, and fails opaquely when that's absent.
Repro
Open a jspod/xlogin sign-in (which imports solid-oidc) on a de-Googled phone's stale WebView, or any pre-Chromium-92 / non-secure context → crypto.randomUUID is not a function.
Asks
-
Polyfill crypto.randomUUID via crypto.getRandomValues (widely supported, not secure-context-gated) so the lib clears the first hurdle.
-
Detect missing crypto.subtle up front and throw a clear, actionable error, e.g.:
solid-oidc requires Web Crypto (crypto.subtle); this browser/context doesn't provide it. Use an up-to-date browser over HTTPS or localhost.
…instead of a cryptic mid-flow randomUUID crash.
-
(Optional) a JS SHA-256 fallback for the PKCE code_challenge so PKCE survives without subtle — but DPoP (ECDSA key-gen/sign) genuinely needs crypto.subtle, so this can't fully run on a browser that lacks it. The realistic win is (1) + (2): a clear "update your browser" message, not a magic fix.
Impact
Affects jspod onboarding sign-in, xlogin, and every app that authenticates via solid-oidc — especially the Solid-Pod-on-a-de-Googled-phone use case. Turning an opaque crash into "your browser is too old / use HTTPS or localhost" is the main improvement.
Related
#5 (jose → Web Crypto). Same family as the secure-context / stale-WebView constraints on de-Googled devices.
Problem
solid-oidc requires modern Web Crypto:
crypto.randomUUID(state/nonce/PKCE verifier) andcrypto.subtle(SHA-256digestfor the PKCEcode_challenge, plus DPoP key-gen/sign). Both are gated to Chromium 92+ and secure contexts.On browsers that lack them, sign-in dies at the first call with a cryptic:
…with no hint of the real cause. Two common situations hit this:
randomUUID/subtle.http://<lan-ip>:port(notlocalhost, not HTTPS) →crypto.subtle/randomUUIDareundefinedeven on a modern browser.This is the path made strict by #5 (jose → Web Crypto) — great for zero-deps, but it now hard-requires modern + secure-context crypto, and fails opaquely when that's absent.
Repro
Open a jspod/xlogin sign-in (which imports
solid-oidc) on a de-Googled phone's stale WebView, or any pre-Chromium-92 / non-secure context →crypto.randomUUID is not a function.Asks
Polyfill
crypto.randomUUIDviacrypto.getRandomValues(widely supported, not secure-context-gated) so the lib clears the first hurdle.Detect missing
crypto.subtleup front and throw a clear, actionable error, e.g.:…instead of a cryptic mid-flow
randomUUIDcrash.(Optional) a JS SHA-256 fallback for the PKCE
code_challengeso PKCE survives withoutsubtle— but DPoP (ECDSA key-gen/sign) genuinely needscrypto.subtle, so this can't fully run on a browser that lacks it. The realistic win is (1) + (2): a clear "update your browser" message, not a magic fix.Impact
Affects jspod onboarding sign-in, xlogin, and every app that authenticates via solid-oidc — especially the Solid-Pod-on-a-de-Googled-phone use case. Turning an opaque crash into "your browser is too old / use HTTPS or localhost" is the main improvement.
Related
#5 (jose → Web Crypto). Same family as the secure-context / stale-WebView constraints on de-Googled devices.