Closed csarven closed 3 years ago
@csarven would you prefer to update this PR or create a new one?
This PR is no longer useful as far merging goes - draft changed substantially without integrating the suggestions. I'll review the new draft for fun and profit.
The PR is intended to be an editorial update. Please have a look to make sure that it doesn't introduce new errors.
In addition to the editorial update, I add a review here that can be incorporated based on feedback. If any of the points require further discussion, they should be handled as separate issues.
Out of Scope
Re "strongly asserted identity": At this point of the spec, this is unfamiliar jargon. If it is a well-known concept defined by one of the specs, it should be cited. Otherwise, the current section doesn't help the reader (IMO).
Add: Consider mentioning social agreements such as persistence or permanence as orthogonal.
Proof of Identity
Clarify the target: "Client registration [..] is not required" at where exactly?
Token Instantiation
Specify client behaviour when it doesn't receive required or valid tokens.
DPoP-bound Access Token
I'd suggest to use a URI string specific to this purpose instead of the string
solid
. If the value ofaud
is supposed to be the same in both DPoP-bound Access Token and OIDC ID Token, the examples should use the same value for clarity.Resource Access
Introduction refers to the notion of "Ephemeral clients" and that's kind of fine there but unclear at this point in Resource Access (or elsewhere).
DPoP Validation
Re "the RS MUST deny the resource request", consider specifying or describing the server error.
WebID Claim and Check
Add blurb on required concrete RDF syntax as mentioned in https://github.com/solid/authentication-panel/issues/48#issuecomment-668092738 .