Support DPoP in OIDC

DPoP is a way to provide security in Solid ecosystems (it protects against replay attacks by ensuring that a token can only be approved when sent from the application is was prescribed to - see issue for overview)

How to know DPoP should be used

• A client should use the value of the token_type parameter to determine whether the Authorization Server supports DPoP (spec). It should be used where possible
• The Resource Server will respond 401 and specify in the WWW-Authenticate header that a DPoP-bound access token is required. The Access Token is granted by the Authorization Server (the OIDC provider).. see flow

How to implement it

• The Client presents its Client Identifier and the associated Secret to the IdP and requests an Authorization Code (OIDC workflow)
• If granted, the Client presents the Authorization Code and a DPoP proof, to the Token Endpoint
• Constructing the DPoP proof.. useful resource, and another resource for top-level view

Misc

• OAuth and OIDC require the Client application to identify itself to the IdP and RS by presenting a client identifier (Client ID). Solid applications SHOULD use a WebID as their Client ID
• "it is RECOMMENDED to prefer TLS-based methods over DPoP if such methods are suitable for the scenario at hand"... never for us, as sib-core is a Single-Page Application?