Means for authenticating on /token endpoint

[crspybits]

I was confused by 14. Token request with code and code verifier. So far none of the Solid pod issuers I've tried seem to require a DPoP header for a /token endpoint request.

So far, what's working for me is to use the client_secret_basic method in the request header, and not including a DPoP header. This is working for issuers:

"https://inrupt.net"

"https://solidcommunity.net"

"https://broker.pod.inrupt.com"

Quite possibly this a function of issuers catching up with standards. But it took me quite a while to figure this out. And I'd rather others didn't have to go down this rabbit hole. Perhaps there could be some language about this?

See also https://forum.solidproject.org/t/the-use-of-dpop-in-the-token-endpoint/4664/6

Thanks!

[acoburn]

I will point out that client_secret_basic (and client_secret_post) is completely orthogonal to DPoP.

DPoP is a mechanism to bind an OAuth access token to a particular client-managed keypair. It has no relationship to the authentication of a client at the /token endpoint.

OAuth client authentication (for static and dynamic OAuth client registrations) make use of client_secret_basic or client_secret_post. But this is only relevant for confidential clients. For public clients (e.g. Solid Client identifiers), there is no authentication at the token endpoint.