- From: divoplade <d@divoplade.fr>
- Date: Sun, 11 Oct 2020 08:56:25 +0200
- To: public-solid@w3.org
Dear authentication panel, The identity provider should return two tokens: the OIDC ID token (that the client application should keep for itself) and the DPoP-bound access token (that the client presents to the resource server). How is it supposed to do so? I assume it should redirect (302 with Location:) the browser to the requested redirect_uri (provided it appears in the client manifest in the client webid) with additional GET parameters. The DPoP draft has scarce information on this. I can only imagine that there must be a query parameter "token_type" with the value of "DPoP". How are the id token and access token passed? Best regards, divoplade
Received on Sunday, 11 October 2020 06:57:55 UTC