Verifying client's control of claimed WebID (client_webid)

[elf-pavlik]

Current draft states:

3. The client presents its WebID to the IdP and requests an Authorization Code.

How does client present its WebID, should it use some specific query parameter?

It also states:

The Access Token MUST be a JWT and the IdP MUST embed the client's WebID in the Access Token as a custom claim. This claim MUST be named client_webid.

I don't see in a draft how IdP verifies that clients actually controls that WebID (and not tries to impersonate it). We discussed as one of possibilities that WebID Document returned when client's WebID gets resolved, would include some kind of solid:redirect_uri statement to associate that client WebID with redirect URI.

[jaxoncreed]

In addition, I think there should be extra clarification around the difference between a client webid and a user's webid (or agent's web id) It might be a good idea to put that in the terminology section.

[jaxoncreed]

Specifically, this clarification would be useful in the document where "The client presents its WebID to the IdP and requests an Authorization Code." is said.

[acoburn]

This has been defined by the current draft spec in https://solid.github.io/authentication-panel/solid-oidc/#clientids-webid