Sightly unclear/inconsistent description of `cnf` claim for DPoP-bound Access Tokens in solid-oidc spec

[pmcb55]

In the solid-oidc draft, I find the wording in relation to the cnf claim here a little unclear, and inconsistent with the descriptions for the other claims listed alongside it.

`cnf` — For all flows that require DPoP, the confirmation claim is REQUIRED, as per
[DPoP Internet-Draft](https://tools.ietf.org/html/draft-fett-oauth-dpop-04#section-7) specification.

Since all these claim descriptions are all under the heading The DPoP-bound Access Token MUST contain at least these claims:, why does this cnf call out that it's only REQUIRED for flows that require DPoP?

In other words, are there flows that don't require DPoP, but that might provide a DPoP-bound Access Token anyway, in which case those particular flows are not REQUIRED to provide a cnf claim, but they still MUST provide all the other REQUIRED claims as described here...?

[matthieubosquet]

In all DPoP bound Access Token the cnf claim is required. See the DPoP spec:

Access tokens that are represented as JSON Web Tokens (JWT) [RFC7519] MUST contain information about the DPoP public key (in JWK format) in the member "jkt" of the "cnf" claim, as shown in Figure 5.

On the other hand we probably should accept Bearer tokens (they are legitimate and secure enough in trusted contexts).

I clarify the claims section in my pull requests:

• https://github.com/solid/authentication-panel/pull/105
• https://github.com/solid/authentication-panel/pull/104

Which incidentally happened 10 minutes before you published this issue and related pull request 106. ^^,

[acoburn]

I believe this issue has been resolved and can be closed.

[acoburn]

This issue was resolved via #106 Please feel free to re-open if further textual clarification is needed