I’m trying to use https://solidcommunity.net/ in combination with Virtuoso as an RP. I have some questions about Solid’s use of DPoP tokens.
Solid-client-authn-* architecture says that “Solid-OIDC makes the support for Key-bound Access Tokens (referred to as DPoP tokens) mandatory”.
Looking at the sequence diagram for Solid OIDC Flow in the Solid OIDC Primer, at step 13 the RP generates a DPoP header - this is described further in Section 13 https://solid.github.io/solid-oidc/primer/#authorization-code-pkce-flow-step-13.
What signing algorithms and key types does Solid 5.6.12 now allow RPs to use for DPoP JWTs?
Is jwtheader.alg limited to “ES256”?
Is jwtheader.jwk.kty limited to “EC”?