W3C home > Mailing lists > Public > public-solid@w3.org > October 2020

How does the identity provider return two tokens?

From: divoplade <d@divoplade.fr>
Date: Sun, 11 Oct 2020 08:56:25 +0200
Message-ID: <e840f13aebfb6ec527e85ccf31c97a177d215c1d.camel@divoplade.fr>
To: public-solid@w3.org
Dear authentication panel,

The identity provider should return two tokens: the OIDC ID token (that
the client application should keep for itself) and the DPoP-bound
access token (that the client presents to the resource server).

How is it supposed to do so? I assume it should redirect (302 with
Location:) the browser to the requested redirect_uri (provided it
appears in the client manifest in the client webid) with additional GET

The DPoP draft has scarce information on this. I can only imagine that
there must be a query parameter "token_type" with the value of "DPoP".
How are the id token and access token passed?

Best regards,

Received on Sunday, 11 October 2020 06:57:55 UTC

This archive was generated by hypermail 2.4.0 : Sunday, 11 October 2020 06:57:56 UTC