Solid-OIDC - Resource Server

See infra/security#28

Required

• djangoldp_account.backends.ExternalUserBackend should check thumbprint and validate DPoP signature
• validating DPoP signature
• validating htu and htm claims in DPoP proof
• djangoldp_account.backends.ExternalUserBackend currently checks that the sub (webid) matches the iss
• djangoldp_account.backends.ExternalUserBackend should fetch public keys from OP and check access token signature validity

Optional

• user's must store solid:oidcRegistration property at their webid (example)
• If the iss claim is different from the domain of the WebID, then the RS MUST check the WebID document for the existence of a statement matching ?webid http://www.w3.org/ns/solid/terms#oidcIssuer ?iss (spec)
• The above will require an extension to the LDPUser model to store issuers (many-to-many)
• validate jti to protect against replay attacks
• returning 401 with a WWW-Authenticate header that informs the Client that a DPoP-bound Access Token is required