Context: I’m building an iOS native mobile (Swift) authentication library for Solid pods. The design is intended to have the initial part of the authentication (up to and including the browser redirect) work only on the iOS client and later steps (e.g., refresh token request) work either on iOS or on backend Swift-based servers (e.g., running on Linux).
I have a question about 14. Token request with code and code verifier.
Some Solid pod issuers don’t use DPoP’s for /token requests (e.g., https://broker.pod.inrupt.com/). They use
My first question is: How do you tell from the discovery document for a given Solid pod issuer whether it accepts DPoP’s for /token requests? e.g., what should I see in the contents of
Here I see:
"token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "self_signed_tls_client_auth", "none" ],
My second question: Do any current Solid pod implementations currently allow use of DPoP’s for /token requests?
I had though that I had been using DPoP’s to successfully do /token requests with some issuers (e.g., https://solidcommunity.net), but it seems that the DPoP header wasn’t needed. I just ran a test and with none of
DPoP it generated tokens.