Capture Solid-OIDC with Global Access Token

[uvdsl]

Addresses #250 and captures the authentication flow that all current server and client implementations support (as of 2026-04-21).

This specification version is a snapshot of Solid-OIDC, where a Client uses a global DPOP-bound access token issued by an OpenID Provider to authenticate at an Resource Server.

[elf-pavlik]

Since we don't have simple setup to preview it i improvised one here: https://elf-pavlik.github.io/solid-oidc/

Here's the diff: https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fsolid.github.io%2Fsolid-oidc%2F&doc2=https%3A%2F%2Felf-pavlik.github.io%2Fsolid-oidc%2F

[uvdsl]

That does look a bit weird at times :) I'd recommend checking this branch out and building locally and simply compare manually. The Diff is surprisingly small.

[elf-pavlik]

As I understand the main snapshot will go to https://github.com/solid/specification/
Maybe instead of having snapshot-gat directory we just keep the branch that modifies index.bs and sequence.mmd directly. Possibly also the primer at some point, we could add protection to that pranch as well and keep it in the repo after publication.

[uvdsl]

I thought that this repo would be the best place, given that the issue was logged here and the trace of origin of this snapshot is here. 🤷 I just want this to be done, so I can go back to drafting the other documents I need to work on.

[elf-pavlik]

Please just go ahead and do it the way you find the most convenient!

[elf-pavlik]

@uvdsl this version is missing Client Credentials section, is it intentional or something still on TODO?

• feat: add client credentials as a MUST #245

[uvdsl]

That was indeed intentional, afaik, not all current implementations support that flow. I only know of CSS and ESS. Not sure about all the others...?

[acoburn]

I was under the impression that the Client Credential section was added specifically for Solid26.

[elf-pavlik]

We will attempt to clarify it tomorrow during CG meeting @jeswr @langsamu