(webid-oidc authorization-code) defines an authorization code type.
While it is not necessary that an authorization code is a JWT, it is easier to implement that way. It is an authorization for client-id, an URI identifying a client, to access the data of the user identified by webid, an URI too. It should only be valid for a limited amount of time, and used once only.
The DPoP proof is a token that is issued by the client, and presented to the resource server along with an access token. It is only valid for one request, and for one use. So, it should have a very short validity frame, for instance 30 seconds, and should only be valid for a specific request method htm and a specific request URI htu, down to the path, but ignoring the query and fragment.
The DPoP proof is the proof of possession of jwk, a public
key. It should always have a typ field set to
To construct an authorization code, you would either need
#:jwt-payload, as for any
token, or a combination of parameters:
#:signing-key, to initialize a JWT;
#:validity, because it is issued for a limited time window (around 30 seconds);
#:nonce, because it is single-use;
#:webid, the user identifier;
#:client-id, the client identifier.
The authorization code is signed and verified by the same entity. So,
the key lookup function is tuned to always return the issuer key. You
need to set it as the
#:issuer-key keyword argument of
Return the user identifier in token, as an URI.
Return the client identifier in token, as an URI.
This exception is raised when the authorization ccode is invalid.
Construct an exception of type
Check whether exception was raised because of an invalid authorization code.