title: Client Credentials Grant

note left of RP: AUTHORIZATION
note over RP: 1. Alice's server knows a client_secret and OP
RP->Alice's OP: 2. Requests OP configuration
Alice's OP->RP: 3. Returns OP configuration
RP->Alice's OP: 4. Requests OP JWKS
Alice's OP->RP: 5. Returns OP JWKS
note over RP: 6. Generates Private/Public key pair
note over RP: 7. Saves Private/Public key pair to local storage
RP->Alice's OP: 8. Authorization Request
Alice's OP->RP WebID: 9. Retrieves WebID
RP WebID->Alice's OP:
note over Alice's OP: 10. Validates redirect_url with WebID
note over Alice's OP: 11. Validate Client Secret
note over Alice's OP: 12. Generates an access_token
Alice's OP->RP: 12. Returns to redirect_url

note left of RP: SENDING REQUEST
note over RP: 1. Creates a pop_token
RP->Bob's Pod (RS): 2. Request sent
note over Bob's Pod (RS): 3. Checks pop_token Audience
note over Bob's Pod (RS): 4. Checks client signature
Bob's Pod (RS)->Alice's Pod (RS): 5. Retrieves Profile
Alice's Pod (RS)->Bob's Pod (RS):
note over Bob's Pod (RS): 6. Checks Issuer
Bob's Pod (RS)->Alice's OP: 7. Retrieves OP configuration
Alice's OP->Bob's Pod (RS):
Bob's Pod (RS)->Alice's OP: 8. Requests JWKS
Alice's OP->Bob's Pod (RS):
note over Bob's Pod (RS): 9. Performs Authentication
note over Bob's Pod (RS): 10. Performs Authorization
Bob's Pod (RS)->RP: 11. Returns Result

note left of RP: REFRESH TOKEN
Bob's Pod (RS)->RP: 1. 401: token expired
RP->Alice's OP: 2. Refresh token auth request
Alice's OP->RP: 3. Return updated token