feat: add client credentials as a MUST (#245)

* feat: add client credentials as a MUST

* fix: Use `Access` token rather than `OIDC ID` token

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix: Refer to `Authorization Server` over `OpenID Providers`

* Extract changes to separate section

* Update index.bs

Co-authored-by: Jesse Wright <63333554+jeswr@users.noreply.github.com>

* Add reference to refresh token flow

* Make Client Credentials authentication example non-normative and add RFC7523 reference

* Generalize client authentication validation in Client Credentials grant

* Clarify WebID binding requirement for Client Credentials Grant

* Update index.bs

Co-authored-by: elf Pavlik <elf-pavlik@hackers4peace.net>

* Update index.bs

Co-authored-by: Christoph Braun <christoph.braun@protonmail.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Samu Lang <langsamu@hotmail.com>
Co-authored-by: Samu Lang <langsamu@users.noreply.github.com>
Co-authored-by: elf Pavlik <elf-pavlik@hackers4peace.net>
Co-authored-by: Christoph Braun <christoph.braun@protonmail.com>

Author: 5 people

index.bs

@@ -438,6 +438,51 @@ Discovery 1.0 [[!OIDC-DISCOVERY]] resource by including `webid` in its `scopes_s
     </pre>
 </div>
 
+# Client Credentials Grant # {#client-credentials}
+
+NOTE: This sections borrows concepts from OAuth 2.0 [[!RFC6749]], while the rest of Solid-OIDC builds on top of OpenID
+Connect Core 1.0 [[!OIDC-CORE]]. The section is likely to be extracted into a separate specification in the future.
+
+Authorization Servers MUST support the OAuth 2.0 Client Credentials Grant [[!RFC6749]] (Section 4.4) to enable
+non-interactive authentication for scripts, automated agents, and server-to-server communication.
+
+NOTE: Scripts and bots can also use Solid-OIDC without Client Credentials via the [refresh token
+flow](https://www.rfc-editor.org/rfc/rfc6749#section-1.5), when supported by the server.
+
+When using the Client Credentials Grant, the Authorization Server must bind the `client_id` to the user who registered it and use that
+user's WebID for the value of `webid` claim in the ID token.
+
+*This section is non-normative*
+
+<div class='example'>
+    When using the Client Credentials Grant, a Client could authenticate with the OP using a `client_id`
+    and `client_secret` pair, which was previously obtained through client registration (either static or dynamic) by and bound to an authenticated user. The Client
+    sends a token request to the OP's token endpoint with `grant_type=client_credentials` and the `webid` scope.
+</div>
+
+NOTE: [[!RFC7523]] (Section 2.2) presents another way to handle authentication using JWTs.
+
+## Token Instantiation ## {#client-credentials-token-instantiation}
+
+During Token Instantiation [[#tokens]], if the [Client Credentials
+Grant](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) is used, the OP MUST validate the client's authentication
+credentials.
+
+## Solid-OIDC Conformance Discovery ## {#client-credentials-discovery}
+
+For non-interactive use cases such as scripts, automated agents, and server-to-server communication, this specification
+also requires that an OpenID Provider that conforms to the Solid-OIDC specification MUST advertise its support for the
+[Client Credentials Grant](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) in the OpenID Connect Discovery 1.0
+[OIDC.Discovery] resource by including `client_credentials` in its `grant_types_supported` metadata property.
+
+<div class="example">
+    <pre highlight="json">
+        {
+            "grant_types_supported": ["authorization_code", "refresh_token", "client_credentials"]
+        }
+    </pre>
+</div>
+
 # Security Considerations # {#security}
 
 *This section is non-normative*