Skip to content

Clarify use of client secret in Primer #214

New issue
New issue
Open
Open
Clarify use of client secret in Primer#214
@Otto-AA

Description

@Otto-AA
Otto-AA
opened on Feb 20, 2023

While trying to fixing solid-flask I've noticed that ESS requires a basic auth with (client_id, client_secret) to retrieve access tokens at the token_endpoint. As far as I've seen this behaviour is not discussed in the Primer.

I don't have a good overview of Solid-OIDC yet, but I think in the specification it is this part that requires (client_id, client_secret) for the token request: https://solid.github.io/solid-oidc/#tokens

Assuming one of the following options
- Client ID and Secret, and valid DPoP Proof (for dynamic and static registration)
- Dereferencable Client Identifier with a proper Client ID Document and valid DPoP Proof (for a Solid client identifier)
the OP MUST return A DPoP-bound OIDC ID Token.

It could helpful to point this out in the primer, so implementations don't miss this. It also worked without the basic auth on NSS, which makes it trickier to catch if one does not test the solid-oidc client with more server implementations.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions