solid
Clarify use of client secret in Primer
While trying to fixing solid-flask I've noticed that ESS requires a basic auth with (client_id, client_secret) to retrieve access tokens at the token_endpoint. As far as I've seen this behaviour is not discussed in the Primer.
I don't have a good overview of Solid-OIDC yet, but I think in the specification it is this part that requires (client_id, client_secret) for the token request: https://solid.github.io/solid-oidc/#tokens
Assuming one of the following options - Client ID and Secret, and valid DPoP Proof (for dynamic and static registration) - Dereferencable Client Identifier with a proper Client ID Document and valid DPoP Proof (for a Solid client identifier) the OP MUST return A DPoP-bound OIDC ID Token.
It could helpful to point this out in the primer, so implementations don't miss this. It also worked without the basic auth on NSS, which makes it trickier to catch if one does not test the solid-oidc client with more server implementations.
