Add did:web resolver and unified DID resolution #28

New issue

Closed

opened 2026-04-12 17:29:48 +00:00 by Grandiras · 0 comments

Grandiras commented 2026-04-12 17:29:48 +00:00

Owner

Copy link

Summary

The AT Protocol specifies did:web as one of the supported DID methods. While ATProto.NET has did:plc resolution via PlcClient, there's no dedicated did:web resolver.

Spec Reference

From the DID specification:

• did:web resolves by fetching https://<domain>/.well-known/did.json
• The DID document format is the same W3C DID Document used by did:plc
• did:web is used by services and infrastructure (e.g., did:web:api.bsky.app)

What's needed

1. did:web resolver - Fetch and parse DID documents from .well-known/did.json
2. Unified DID resolution - Dispatch to the correct resolver based on DID method:
   • did:plc:* → PLC directory
   • did:web:* → HTTPS well-known endpoint
3. DID document caching - Cache resolved DID documents with configurable TTL
4. Security validation - HTTPS required, domain validation, SSRF prevention

Why this matters

• did:web is used by services like App Views, Relays, Labelers
• Needed for verifying service-to-service auth (JWT with iss claim)
• Needed for resolving proxy target services
• Needed for complete DID resolution in identity layer

## Summary The AT Protocol specifies `did:web` as one of the supported DID methods. While ATProto.NET has `did:plc` resolution via `PlcClient`, there's no dedicated `did:web` resolver. ## Spec Reference From the [DID specification](https://atproto.com/specs/did): - `did:web` resolves by fetching `https://<domain>/.well-known/did.json` - The DID document format is the same W3C DID Document used by `did:plc` - `did:web` is used by services and infrastructure (e.g., `did:web:api.bsky.app`) ## What's needed 1. **`did:web` resolver** - Fetch and parse DID documents from `.well-known/did.json` 2. **Unified DID resolution** - Dispatch to the correct resolver based on DID method: - `did:plc:*` → PLC directory - `did:web:*` → HTTPS well-known endpoint 3. **DID document caching** - Cache resolved DID documents with configurable TTL 4. **Security validation** - HTTPS required, domain validation, SSRF prevention ## Why this matters - `did:web` is used by services like App Views, Relays, Labelers - Needed for verifying service-to-service auth (JWT with `iss` claim) - Needed for resolving proxy target services - Needed for complete DID resolution in identity layer

Grandiras referenced this issue from a commit 2026-04-12 18:20:36 +00:00

feat: add did:web resolver and unified DID resolution

Grandiras closed this issue 2026-04-12 18:20:36 +00:00

Grandiras referenced this issue from a commit 2026-04-12 18:20:36 +00:00

docs: update CHANGELOG for issues #24, #28, #26, #22, #29

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

v0.3.0

v0.2.0

v0.1.1

v0.1.0

Labels

Clear labels   

breaking-change

Introduces a breaking API change

  

bug

Something is not working correctly

  

documentation

Documentation improvements

  

duplicate

This issue or PR already exists

  

enhancement

New feature or improvement

  

good first issue

Good for newcomers to the project

  

help wanted

Extra attention is needed

  

performance

Performance-related issue or improvement

  

question

Further information is requested

  

wontfix

This will not be worked on

No labels

breaking-change

bug

documentation

duplicate

enhancement

good first issue

help wanted

performance

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

Grandiras/ATProto.NET#28

No description provided.