I was wondering the following : when I connect to a solid app, I then get a bearer token, stored in the Authorization header. Once I get this token, I can potentially use it anywhere, for instance on a backend server. I can make http calls to my POD using this token and the call will then be sent with origin = null and the call will be allowed by the SOLID server.
I am not a security expert as such, but : why the SOLID server is not creating the token including the origin of the caller in it ? and then forbid any calls using this token if the call is not coming from the app who actually requested the token ?
Am I missing something ?