elf-pavlik
commented
2 years ago none The Client does not authenticate itself at the Token Endpoint, either because it uses only the Implicit Flow (and so does not use the Token Endpoint) or because it is a Public Client with no Client Secret or other authentication mechanism.
This sounds reasonable to me, would you like to make PR with what you are proposing here? We can also wait a little bit for feedback from @acoburn
Looking at https://openid.net/specs/openid-connect-core-1_0.html#TokenRequestValidation
Ensure the Authorization Code was issued to the authenticated Client.
OP needs to know client_id associated with the presented Authoization Code. Does the client really need to provide it in the Token Request?
NSeydoux
When making a request to the token endpoint of an OIDC provider, a client usually authenticates itself. Client authentication methods at the token endpoint are described in the OpenID spec (and to some extent the OAuth 2.0 spec, and they usually rely on a client having a client id/secret pair, either through static or dynamic registration.
Solid-OIDC introduces a new type of client authentication based on a Client Identifier available at a URL under the client's control, which means that no client registration is required, and no client secret is involved. The only method described in the OpenID spec that aligns with the absence of a client secret and any other form of registration is the
noneclient authentication method. In addition, the OAuth 2.0 spec seems to lean towards enforcing that HTTP Basic auth is only used when both a client id and secret are present. In the absence of a client secret, theclient_idshould therefore be sent as part of the token request body.Considering all this, it may be good to add a note to the Solid-OIDC specification, in the Client Identifiers section along the following lines: