Support DPoP token_type

Assumptions

DPoP proof should always be sent to our provider in the new version
for now we are only supporting the authorisation code grant type, which is used by sib-auth. Implicit grant type has been recommended against by the Solid-OIDC specification
No work required for PKCE implementation (PKCE is already supported by Django-WebIDOIDC-Provider, via the code challenges included in the tokens)
I think no changes are required to generate ID token/refresh token

Implementation

Orientating to codebase, changes to unit tests (1.5 days)
converts DPoP Public Key to JWT thumbprint (2h)
binding user's Public Key to the Access Token ("DPoP-bound Access Token"), by including the JWT thumbprint in the Token (2h)

Edited 4 years ago

Designs