Clarify WebID binding requirement for Client Credentials Grant

langsamu · langsamu · commit 176406fcb560 · 2026-03-09T16:00:50.000Z
diff --git a/index.bs b/index.bs
@@ -449,6 +449,9 @@ non-interactive authentication for scripts, automated agents, and server-to-serv
 NOTE: Scripts and bots can also use Solid-OIDC without Client Credentials via the [refresh token
 flow](https://www.rfc-editor.org/rfc/rfc6749#section-1.5), when supported by the server.
 
+When using the Client Credentials Grant, the AS must bind the `client_id` to the user who registered it and use that
+user's WebID in the ID token.
+
 *This section is non-normative*
 
 <div class='example'>
