Closed elf-pavlik closed 3 years ago
In addition, I think there should be extra clarification around the difference between a client webid and a user's webid (or agent's web id) It might be a good idea to put that in the terminology section.
Specifically, this clarification would be useful in the document where "The client presents its WebID to the IdP and requests an Authorization Code." is said.
This has been defined by the current draft spec in https://solid.github.io/authentication-panel/solid-oidc/#clientids-webid
Current draft states:
How does client present its WebID, should it use some specific query parameter?
It also states:
I don't see in a draft how IdP verifies that clients actually controls that WebID (and not tries to impersonate it). We discussed as one of possibilities that WebID Document returned when client's WebID gets resolved, would include some kind of
solid:redirect_uri
statement to associate that client WebID with redirect URI.