elf-pavlik
commented
6 months ago We didn't want to overload OIDC redirect_uri, especially since currently, authn and authz are two independent flows with redirects. While we want to look at having a clear way to offer a combined experience, we might still want to have them available as separate flows.
There is also some relevant information in https://github.com/solid/specification/issues/504 which also applies to on-device apps, specifically:
For the purpose of pure Authentication, I believe we should allow such server-side clients to authenticate independently from any of the end-users on whose behalf it can act. Of course, we still need to ensure that the client can act on behalf of the end user. For that, we step into delegation / client authorization (AuthZ).
Once we have defined VP/VC that represents client authorization, we probably don't need additional OIDC ID tokens, since both end-user identity and client identity would be available in this new credential.
Both occur in e.g. https://github.com/janeirodigital/sai-js/blob/main/packages/css-storage-fixture/acme/projectron/id%24.jsonld
Is
redirect_urisfor OIDC andinterop:hasAuthorizationCallbackEndpointfor other (data-related) OAuth scopes?