Problem. Re-establishing a Solid-OIDC session — after token expiry or on a returning visit — today requires a full top-level redirect to the IdP. That pulls the user out of the app, loses in-page context, and is a poor fit for SPAs, embedded apps, and step-up re-auth prompts.
Proposal. A profile that re-authenticates without a redirect: the user proves possession with a WebAuthn passkey (Level 3), and the app exchanges that assertion for fresh DPoP-bound Solid-OIDC tokens via RFC 8693 token exchange — entirely in-page. It composes existing standards (WebAuthn + Solid-OIDC + RFC 8693) rather than introducing new cryptography.
Draft. https://github.com/jeswr/solid-specs/tree/main/specs/webauthn-reauth
Live preview. https://jeswr.github.io/solid-specs/specs/webauthn-reauth/
Status. Unofficial editor's draft, offered for the group's consideration and discussion.
Problem. Re-establishing a Solid-OIDC session — after token expiry or on a returning visit — today requires a full top-level redirect to the IdP. That pulls the user out of the app, loses in-page context, and is a poor fit for SPAs, embedded apps, and step-up re-auth prompts.
Proposal. A profile that re-authenticates without a redirect: the user proves possession with a WebAuthn passkey (Level 3), and the app exchanges that assertion for fresh DPoP-bound Solid-OIDC tokens via RFC 8693 token exchange — entirely in-page. It composes existing standards (WebAuthn + Solid-OIDC + RFC 8693) rather than introducing new cryptography.
Draft. https://github.com/jeswr/solid-specs/tree/main/specs/webauthn-reauth
Live preview. https://jeswr.github.io/solid-specs/specs/webauthn-reauth/
Status. Unofficial editor's draft, offered for the group's consideration and discussion.