Use of ID tokens in the WebID-OIDC protocol

[acoburn]

In a typical interaction with an OIDC provider, both an access token and an ID token are presented to a client. It is typical for clients to then use the access token in subsequent interactions with resource servers (in this case, a Pod), but the current WebID-OIDC protocol describes using the ID token in the way one might ordinarily use an access token.

It would be helpful to clarify the semantics of these tokens w/r/t the token that is presented to a resource server and whether it would be better to use access tokens instead of ID tokens in this context.

[kjetilk]

The discussion on this issue is ongoing in the Authentication Panel.

[elf-pavlik]

@acoburn please re-open if latest draft doesn't address this issue https://github.com/solid/authentication-panel/blob/master/oidc-authentication.md