I have done some further research and it seems, that I have found a solution. Solid uses an asymmetric key pair to sign and validate the JWT. The token gets signed with a private key, but it could be verified with a public key. The public keys are also known as JSON Web Key Set and could be simply retrieved by an API endpoint: “https://…solid-server-domain…/jwks”.
Thus the following workflow should be possible:
Precondition: The Client is not logged in.
Workflow:
- Client enters my website.
- Client logs into the solid provider according the webid oidc workflow
- After successful authentication the client sents a request which needs authentication to my back-end. Its previously acquired token is placed in the http header and passed along with the request.
- My back-end server determines the the URL of the solid provider which has issued the token by the iss-claim of the token.
- The server request the public key to verify the token and keeps it in its local cache.
- The server verifies the token withe the public key and sent a response.
This is still a theoretic solution. If I have got a running example, I will let you know.