The (webid-oidc access-token) module contains a definition for the OIDC access token.
The access token is issued by an identity provider for a client, and
is intended to be used by the resource servers. It indicates that the
agent possessing a key hashed to cnf/jkt (a string) is
identified by client-id (an URI) and is authorized to act on
behalf of the user identified by webid (an URI). For
compatibility, aud should be set to the literal string
"solid". The agent demonstrates that it owns this key by
issuing a DPoP proof alongside the access token.
To construct an access token, you would either need
#:jwt-payload, as for any
token, or a combination of parameters:
#:signing-key, to initialize a JWT;
#:validity, because it is issued for a limited time window (around an hour);
#:iss, the issuer URI, because it is an OIDC token;
#:webid, an URI identifying the user;
#:client-id, an URI identifying the client;
#:cnf/jkt, the hash of a public key whose private key is owned by the client, or
#:client-key, the client key itself;
"solid", optional, defaults to the correct value.
Since the same access token is presented on each request, it is not single-use.
Return the user identifier in token, as an URI.
Return the client identifier in token, as an URI.
Return the hash of the client key, as a string.
This exception is raised when the access token is invalid.
Construct an exception of type
Check whether exception was raised because of an invalid access token.