As I understand it, this is a limitation of the OIDC protocol, right? But it would be prefectly secure to communicate with the IDP in this way.
That’s a shame, but I know it wouldn’t be easy to extend or replace the protocol for Solid, so we’ll have to accept this limitation for the time being.
Yes a PWA is basically the same as a website, I was thinking about wrapping my app in something like Cordova or Capacitor in order to use the native storage. However, as you mention the lifetime of the token would be very short anyways, so I’m not sure if it’s even worth it.
It may be a good solution for Background Sync though, so I’ll keep this in mind.
Well it seems like the iframe workaround is our best hope. I’ll look into it, thanks for the info and your work!