Specify the client authentication method when using a Client Identifier

[NSeydoux]

When making a request to the token endpoint of an OIDC provider, a client usually authenticates itself. Client authentication methods at the token endpoint are described in the OpenID spec (and to some extent the OAuth 2.0 spec, and they usually rely on a client having a client id/secret pair, either through static or dynamic registration.

Solid-OIDC introduces a new type of client authentication based on a Client Identifier available at a URL under the client's control, which means that no client registration is required, and no client secret is involved. The only method described in the OpenID spec that aligns with the absence of a client secret and any other form of registration is the none client authentication method. In addition, the OAuth 2.0 spec seems to lean towards enforcing that HTTP Basic auth is only used when both a client id and secret are present. In the absence of a client secret, the client_id should therefore be sent as part of the token request body.

Considering all this, it may be good to add a note to the Solid-OIDC specification, in the Client Identifiers section along the following lines:

### Client Authentication to the token endpoint

Clients using a URI that can be dereferenced as a Client ID Document MUST authenticate to the Solid-OIDC provider's token endpoint by adding their `client_id` to the token request body, as described by the `none` client authentication method in [OIDC.Core]. 

[elf-pavlik]

none
The Client does not authenticate itself at the Token Endpoint, either because it uses only the Implicit Flow (and so does not use the Token Endpoint) or because it is a Public Client with no Client Secret or other authentication mechanism.

This sounds reasonable to me, would you like to make PR with what you are proposing here?
We can also wait a little bit for feedback from @acoburn

Looking at https://openid.net/specs/openid-connect-core-1_0.html#TokenRequestValidation

Ensure the Authorization Code was issued to the authenticated Client.

OP needs to know client_id associated with the presented Authoization Code. Does the client really need to provide it in the Token Request?

[NSeydoux]

I'll open a PR after having discussed this in today's panel meeting. And the way I understand the spec you linked to, if the client used some authentication method during the Authorization request, it should include its authentication information during the Token Request too.

[elf-pavlik]

I've been doing some research and it seems fine not to use client authentication with a token endpoint.

When it comes to refresh tokens there is some guidance in:

• https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#section-8
• https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.13

I'll add this issue inline to the spec to welcome more feedback. Based on that we should be able to close it eventually.