The client presents its WebID to the IdP and requests an Authorization Code.
But there is no requirement in the spec for IdPs to implement a mechanism that confirms the application's possession of that WebId. This is important because if an app can claim to be any WebId, it will mess up the access control system down the line.
Currently the spec states:
But there is no requirement in the spec for IdPs to implement a mechanism that confirms the application's possession of that WebId. This is important because if an app can claim to be any WebId, it will mess up the access control system down the line.