From f2c75420d982cd44ba67278b8ce01fb73438c865 Mon Sep 17 00:00:00 2001
From: Vivien Kraus <vivien@planete-kraus.eu>
Date: Sun, 6 Dec 2020 19:43:34 +0100
Subject: Implement Solid oidc provider confirmation

---
 doc/manual.html                              |   6 +
 po/fr.po                                     | 241 ++++++++++++++-------------
 po/webid-oidc.pot                            | 237 +++++++++++++-------------
 src/scm/webid-oidc/Makefile.am               |   6 +-
 src/scm/webid-oidc/errors.scm                |  13 ++
 src/scm/webid-oidc/provider-confirmation.scm |  69 ++++++++
 tests/Makefile.am                            |   3 +-
 tests/provider-confirmation.scm              |  40 +++++
 8 files changed, 376 insertions(+), 239 deletions(-)
 create mode 100644 src/scm/webid-oidc/provider-confirmation.scm
 create mode 100644 tests/provider-confirmation.scm

diff --git a/doc/manual.html b/doc/manual.html
index 14d5bd1..51d524b 100644
--- a/doc/manual.html
+++ b/doc/manual.html
@@ -869,6 +869,12 @@
 	request.
       </p>
     </info:deftp>
+    <info:deftp type="exception type" name="&amp;unconfirmed-provider" arguments="subject provider">
+      <p>
+	<info:var>provider</info:var> is not confirmed by
+	<info:var>subject</info:var> as an identity provider.
+      </p>
+    </info:deftp>
 
     <h1>Running an Identity Provider</h1>
     <p>
diff --git a/po/fr.po b/po/fr.po
index dfeafe1..b85be49 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -2,7 +2,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: webid-oidc 0.0.0\n"
 "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n"
-"POT-Creation-Date: 2021-05-10 22:56+0200\n"
+"POT-Creation-Date: 2021-05-10 22:58+0200\n"
 "PO-Revision-Date: 2021-05-10 14:31+0200\n"
 "Last-Translator: Vivien Kraus <vivien@planete-kraus.eu>\n"
 "Language-Team: French <vivien@planete-kraus.eu>\n"
@@ -126,101 +126,101 @@ msgstr "Utilisation : generate-random [NOMBRE D'OCTETS]\n"
 msgid "Usage: generate-key [NUMBER OF BITS | CURVE]\n"
 msgstr "Utilisation : generate-key [NOMBRE DE BITS | COURBE]\n"
 
-#: src/scm/webid-oidc/errors.scm:829
+#: src/scm/webid-oidc/errors.scm:839
 msgid "that’s how it is"
 msgstr "c’est comme ça"
 
-#: src/scm/webid-oidc/errors.scm:834
+#: src/scm/webid-oidc/errors.scm:844
 #, scheme-format
 msgid "the value ~s is not a base64 string (because ~a)"
 msgstr "la valeur ~s n’est pas une chaîne base64 (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:837
+#: src/scm/webid-oidc/errors.scm:847
 #, scheme-format
 msgid "the value ~s is not JSON (because ~a)"
 msgstr "la valeur ~s n’est pas du JSON (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:840
+#: src/scm/webid-oidc/errors.scm:850
 #, scheme-format
 msgid "the value ~s is not Turtle (because ~a)"
 msgstr "la valeur ~s n’est pas du Turtle (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:843
+#: src/scm/webid-oidc/errors.scm:853
 #, scheme-format
 msgid "the value ~s does not identify an elleptic curve"
 msgstr "la valeur ~s n’identifie pas une courbe elliptique"
 
-#: src/scm/webid-oidc/errors.scm:848
+#: src/scm/webid-oidc/errors.scm:858
 #, scheme-format
 msgid "the value ~s does not identify a JWK (because ~a)"
 msgstr "la valeur ~s n’identifie pas une JWK (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:850
+#: src/scm/webid-oidc/errors.scm:860
 #, scheme-format
 msgid "the value ~s does not identify a JWK"
 msgstr "la valeur ~s n’identifie pas une JWK"
 
-#: src/scm/webid-oidc/errors.scm:855
+#: src/scm/webid-oidc/errors.scm:865
 #, scheme-format
 msgid "the value ~s does not identify a public JWK (because ~a)"
 msgstr "la valeur ~s n’identifie pas une JWK publique (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:857
+#: src/scm/webid-oidc/errors.scm:867
 #, scheme-format
 msgid "the value ~s does not identify a public JWK"
 msgstr "la valeur ~s n’identifie pas une JWK publique"
 
-#: src/scm/webid-oidc/errors.scm:862
+#: src/scm/webid-oidc/errors.scm:872
 #, scheme-format
 msgid "the value ~s does not identify a private JWK (because ~a)"
 msgstr "la valeur ~s n’identifie pas une JWK privée (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:864
+#: src/scm/webid-oidc/errors.scm:874
 #, scheme-format
 msgid "the value ~s does not identify a private JWK"
 msgstr "la valeur ~s n’identifie pas une JWK privée"
 
-#: src/scm/webid-oidc/errors.scm:869
+#: src/scm/webid-oidc/errors.scm:879
 #, scheme-format
 msgid "the value ~s does not identify a JWKS (because ~a)"
 msgstr "la valeur ~s n’identifie pas un JWKS (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:871
+#: src/scm/webid-oidc/errors.scm:881
 #, scheme-format
 msgid "the value ~s does not identify a JWKS"
 msgstr "la valeur ~s n’identifie pas un JWKS"
 
-#: src/scm/webid-oidc/errors.scm:874
+#: src/scm/webid-oidc/errors.scm:884
 #, scheme-format
 msgid "the value ~s does not identify a hash algorithm"
 msgstr "la valeur ~s n’identifie pas un algorithme de hachage"
 
-#: src/scm/webid-oidc/errors.scm:877
+#: src/scm/webid-oidc/errors.scm:887
 #, scheme-format
 msgid "the value ~s is not an alist or misses key ~s"
 msgstr "la valeur ~s n’est pas une alist ou il manque la clé ~s"
 
-#: src/scm/webid-oidc/errors.scm:880
+#: src/scm/webid-oidc/errors.scm:890
 #, scheme-format
 msgid "the value ~s is not a JWS header (because ~a)"
 msgstr "la valeur ~s n’est pas un header JWS (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:883
+#: src/scm/webid-oidc/errors.scm:893
 #, scheme-format
 msgid "the value ~s is not a JWS payload (because ~a)"
 msgstr "la valeur ~s n’est pas un contenu JWS (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:886
+#: src/scm/webid-oidc/errors.scm:896
 #, scheme-format
 msgid "the value ~s is not a JWS (because ~a)"
 msgstr "la valeur ~s n’est pas un JWS (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:889
+#: src/scm/webid-oidc/errors.scm:899
 #, scheme-format
 msgid "the string ~s cannot be split in 3 parts with ~s"
 msgstr "la chaîne ~s ne peut pas être découpée en 3 parties avec ~s"
 
-#: src/scm/webid-oidc/errors.scm:892
+#: src/scm/webid-oidc/errors.scm:902
 #, scheme-format
 msgid ""
 "all key candidates failed to verify signature ~s with algorithm ~s and "
@@ -229,17 +229,17 @@ msgstr ""
 "aucune clé candidate n’a pu vérifier la signature ~s avec l’algorithme ~s et "
 "le contenu ~a (il y en avait ~a : ~s)"
 
-#: src/scm/webid-oidc/errors.scm:895
+#: src/scm/webid-oidc/errors.scm:905
 #, scheme-format
 msgid "I cannot decode JWS ~a (because ~a)"
 msgstr "je n’ai pas pu décoder le JWS encodé par ~a (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:898
+#: src/scm/webid-oidc/errors.scm:908
 #, scheme-format
 msgid "I cannot encode JWS ~a (because ~a)"
 msgstr "je n’ai pas pu encoder le JWS ~a (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:901
+#: src/scm/webid-oidc/errors.scm:911
 #, scheme-format
 msgid ""
 "the server request unexpectedly failed with code ~a and reason phrase ~s"
@@ -247,336 +247,336 @@ msgstr ""
 "la requête au serveur a échoué de façon inattendue avec un code ~a et une "
 "raison ~s"
 
-#: src/scm/webid-oidc/errors.scm:906
+#: src/scm/webid-oidc/errors.scm:916
 #, scheme-format
 msgid "the header ~a should not have the value ~s"
 msgstr "l’en-tête ~a ne devrait pas avoir la valeur ~s"
 
-#: src/scm/webid-oidc/errors.scm:908
+#: src/scm/webid-oidc/errors.scm:918
 #, scheme-format
 msgid "the header ~a should be present"
 msgstr "l’en-tête ~a devrait être présent"
 
-#: src/scm/webid-oidc/errors.scm:911
+#: src/scm/webid-oidc/errors.scm:921
 #, scheme-format
 msgid "the server response wasn't expected: ~s (because ~a)"
 msgstr "la réponse du serveur est inattendue : ~s (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:917
+#: src/scm/webid-oidc/errors.scm:927
 #, scheme-format
 msgid "the value ~s is not an OIDC configuration (because ~a)"
 msgstr "la valeur ~s n’est pas une configuration OIDC (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:922
+#: src/scm/webid-oidc/errors.scm:932
 #, scheme-format
 msgid "the webid field is incorrect: ~s"
 msgstr "le champ webid est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:923
+#: src/scm/webid-oidc/errors.scm:933
 msgid "the webid field is missing"
 msgstr "le champ webid est manquant"
 
-#: src/scm/webid-oidc/errors.scm:927
+#: src/scm/webid-oidc/errors.scm:937
 #, scheme-format
 msgid "the sub field is incorrect: ~s"
 msgstr "le champ sub est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:928
+#: src/scm/webid-oidc/errors.scm:938
 msgid "the sub field is missing"
 msgstr "le champ sub est manquant"
 
-#: src/scm/webid-oidc/errors.scm:932
+#: src/scm/webid-oidc/errors.scm:942
 #, scheme-format
 msgid "the iss field is incorrect: ~s"
 msgstr "le champ iss est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:933
+#: src/scm/webid-oidc/errors.scm:943
 msgid "the iss field is missing"
 msgstr "le champ iss est manquant"
 
-#: src/scm/webid-oidc/errors.scm:937
+#: src/scm/webid-oidc/errors.scm:947
 #, scheme-format
 msgid "the aud field is incorrect: ~s"
 msgstr "le champ aud est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:938
+#: src/scm/webid-oidc/errors.scm:948
 msgid "the aud field is missing"
 msgstr "le champ aud est manquant"
 
-#: src/scm/webid-oidc/errors.scm:942
+#: src/scm/webid-oidc/errors.scm:952
 #, scheme-format
 msgid "the iat field is incorrect: ~s"
 msgstr "le champ iat est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:943
+#: src/scm/webid-oidc/errors.scm:953
 msgid "the iat field is missing"
 msgstr "le champ iat est manquant"
 
-#: src/scm/webid-oidc/errors.scm:947
+#: src/scm/webid-oidc/errors.scm:957
 #, scheme-format
 msgid "the exp field is incorrect: ~s"
 msgstr "le champ exp est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:948
+#: src/scm/webid-oidc/errors.scm:958
 msgid "the exp field is missing"
 msgstr "le champ exp est manquant"
 
-#: src/scm/webid-oidc/errors.scm:952
+#: src/scm/webid-oidc/errors.scm:962
 #, scheme-format
 msgid "the cnf/jkt field is incorrect: ~s"
 msgstr "le champ cnf/jkt est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:953
+#: src/scm/webid-oidc/errors.scm:963
 msgid "the cnf/jkt field is missing"
 msgstr "le champ cnf/jkt est manquant"
 
-#: src/scm/webid-oidc/errors.scm:957
+#: src/scm/webid-oidc/errors.scm:967
 #, scheme-format
 msgid "the client-id field is incorrect: ~s"
 msgstr "le champ client-id est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:958
+#: src/scm/webid-oidc/errors.scm:968
 msgid "the client-id field is missing"
 msgstr "le champ client-id est manquant"
 
-#: src/scm/webid-oidc/errors.scm:962
+#: src/scm/webid-oidc/errors.scm:972
 #: src/scm/webid-oidc/authorization-page-unsafe.scm:132
 #, scheme-format
 msgid "the redirect_uris field is incorrect: ~s"
 msgstr "le champ redirect_uris est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:963
+#: src/scm/webid-oidc/errors.scm:973
 #: src/scm/webid-oidc/authorization-page-unsafe.scm:133
 msgid "the redirect_uris field is missing"
 msgstr "le champ redirect_uris est manquant"
 
-#: src/scm/webid-oidc/errors.scm:967
+#: src/scm/webid-oidc/errors.scm:977
 #, scheme-format
 msgid "the typ field is incorrect: ~s"
 msgstr "le champ typ est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:968
+#: src/scm/webid-oidc/errors.scm:978
 msgid "the typ field is missing"
 msgstr "le champ typ est manquant"
 
-#: src/scm/webid-oidc/errors.scm:972
+#: src/scm/webid-oidc/errors.scm:982
 #, scheme-format
 msgid "the jwk field is incorrect: ~s (because ~a)"
 msgstr "le champ jwk est incorrect : ~s (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:974
+#: src/scm/webid-oidc/errors.scm:984
 msgid "the jwk field is missing"
 msgstr "le champ jwk est manquant"
 
-#: src/scm/webid-oidc/errors.scm:978
+#: src/scm/webid-oidc/errors.scm:988
 #, scheme-format
 msgid "the jti field is incorrect: ~s"
 msgstr "le champ jti est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:979
+#: src/scm/webid-oidc/errors.scm:989
 msgid "the jti field is missing"
 msgstr "le champ jti est manquant"
 
-#: src/scm/webid-oidc/errors.scm:983
+#: src/scm/webid-oidc/errors.scm:993
 #, scheme-format
 msgid "the nonce field is incorrect: ~s"
 msgstr "le champ nonce est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:984
+#: src/scm/webid-oidc/errors.scm:994
 msgid "the nonce field is missing"
 msgstr "le champ nonce est manquant"
 
-#: src/scm/webid-oidc/errors.scm:988
+#: src/scm/webid-oidc/errors.scm:998
 #, scheme-format
 msgid "the htm field is incorrect: ~s"
 msgstr "le champ htm est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:989
+#: src/scm/webid-oidc/errors.scm:999
 msgid "the htm field is missing"
 msgstr "le champ htm est manquant"
 
-#: src/scm/webid-oidc/errors.scm:993
+#: src/scm/webid-oidc/errors.scm:1003
 #, scheme-format
 msgid "the htu field is incorrect: ~s"
 msgstr "le champ htu est incorrect : ~s"
 
-#: src/scm/webid-oidc/errors.scm:994
+#: src/scm/webid-oidc/errors.scm:1004
 msgid "the htu field is missing"
 msgstr "le champ htu est manquant"
 
-#: src/scm/webid-oidc/errors.scm:996
+#: src/scm/webid-oidc/errors.scm:1006
 #, scheme-format
 msgid "~s is not an access token (because ~a)"
 msgstr "~s n’est pas un jeton d’accès (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:999
+#: src/scm/webid-oidc/errors.scm:1009
 #, scheme-format
 msgid "~s is not an access token header (because ~a)"
 msgstr "~s n’est pas un en-tête de jeton d’accès (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1002
+#: src/scm/webid-oidc/errors.scm:1012
 #, scheme-format
 msgid "~s is not an access token payload (because ~a)"
 msgstr "~s n’est pas un contenu de jeton d’accès (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1005
+#: src/scm/webid-oidc/errors.scm:1015
 #, scheme-format
 msgid "~s is not a DPoP proof (because ~a)"
 msgstr "~s n’est pas une preuve DPoP (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1008
+#: src/scm/webid-oidc/errors.scm:1018
 #, scheme-format
 msgid "~s is not a DPoP proof header (because ~a)"
 msgstr "~s n’est pas un en-tête de preuve DPoP (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1011
+#: src/scm/webid-oidc/errors.scm:1021
 #, scheme-format
 msgid "~s is not a DPoP proof payload (because ~a)"
 msgstr "~s n’est pas un contenu de preuve DPoP (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1014
+#: src/scm/webid-oidc/errors.scm:1024
 #, scheme-format
 msgid "I cannot fetch the issuer configuration of ~a (because ~a)"
 msgstr ""
 "je n’ai pas pu récupérer la configuration de l’émetteur ~a (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1021
+#: src/scm/webid-oidc/errors.scm:1031
 #, scheme-format
 msgid "I cannot fetch the JWKS of ~a at ~a (because ~a)"
 msgstr "je n’ai pas pu récupérer le JWKS de ~a à ~a (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1032
+#: src/scm/webid-oidc/errors.scm:1042
 #, scheme-format
 msgid "the HTTP method is signed for ~s, but ~s was requested"
 msgstr "la méthode HTTP a été signée pour ~s, mais ~s a été demandé"
 
-#: src/scm/webid-oidc/errors.scm:1035
+#: src/scm/webid-oidc/errors.scm:1045
 #, scheme-format
 msgid "the HTTP uri is signed for ~a, but ~a was requested"
 msgstr "l’uri HTTP a été signé pour ~a, mais ~a a été demandé"
 
-#: src/scm/webid-oidc/errors.scm:1038
+#: src/scm/webid-oidc/errors.scm:1048
 #, scheme-format
 msgid "the date is ~a, but the DPoP proof is signed in the future at ~a"
 msgstr "la date est ~a, mais la preuve DPoP a été signée dans le futur à ~a"
 
-#: src/scm/webid-oidc/errors.scm:1042
+#: src/scm/webid-oidc/errors.scm:1052
 #, scheme-format
 msgid "the date is ~a, but the DPoP proof was signed too long ago at ~a"
 msgstr ""
 "la date est ~a, mais la preuve DPoP a été signée il y a trop longtemps à ~a"
 
-#: src/scm/webid-oidc/errors.scm:1051
+#: src/scm/webid-oidc/errors.scm:1061
 #, scheme-format
 msgid "the key ~s does not hash to ~a"
 msgstr "la clé ~s ne donne pas un hash de ~a"
 
-#: src/scm/webid-oidc/errors.scm:1053
+#: src/scm/webid-oidc/errors.scm:1063
 #, scheme-format
 msgid "the key confirmation of ~s failed (because ~a)"
 msgstr "la confirmation de clé de ~s a échoué (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1055
+#: src/scm/webid-oidc/errors.scm:1065
 #, scheme-format
 msgid "the key confirmation of ~s failed"
 msgstr "la confirmation de la clé ~s a échoué"
 
-#: src/scm/webid-oidc/errors.scm:1057
+#: src/scm/webid-oidc/errors.scm:1067
 #, scheme-format
 msgid "the jti ~s has already been found (because ~a)"
 msgstr "le jti ~s a déjà été trouvé (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1060
+#: src/scm/webid-oidc/errors.scm:1070
 #, scheme-format
 msgid "I cannot decode ~s as an access token (because ~a)"
 msgstr "je n’ai pas pu décoder ~s comme jeton d’accès (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1063
+#: src/scm/webid-oidc/errors.scm:1073
 #, scheme-format
 msgid "I cannot encode ~s as an access token (because ~a)"
 msgstr "je n’ai pas pu encoder ~s comme un jeton d’accès (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1066
+#: src/scm/webid-oidc/errors.scm:1076
 #, scheme-format
 msgid "I cannot decode ~s as a DPoP proof (because ~a)"
 msgstr "je n’ai pas pu décoder ~s comme preuve DPoP (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1069
+#: src/scm/webid-oidc/errors.scm:1079
 #, scheme-format
 msgid "I cannot encode ~s as a DPoP proof (because ~a)"
 msgstr "je n’ai pas pu encoder ~s comme une preuve DPoP (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1072
+#: src/scm/webid-oidc/errors.scm:1082
 #, scheme-format
 msgid "I could not fetch a RDF graph at ~a (because ~a)"
 msgstr "je n’ai pas pu récupérer de graphe RDF à ~a (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1075
+#: src/scm/webid-oidc/errors.scm:1085
 #, scheme-format
 msgid "~s is not a client manifest (because ~a)"
 msgstr "~s n’est pas un manifeste client (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1078
+#: src/scm/webid-oidc/errors.scm:1088
 #, scheme-format
 msgid "~s does not authorize redirection URI ~a"
 msgstr "~s n’autorise pas l’URI de redirection ~a"
 
-#: src/scm/webid-oidc/errors.scm:1081
+#: src/scm/webid-oidc/errors.scm:1091
 msgid "I cannot serve a public manifest"
 msgstr "je ne peux pas servir un manifeste public"
 
-#: src/scm/webid-oidc/errors.scm:1083
+#: src/scm/webid-oidc/errors.scm:1093
 #, scheme-format
 msgid "~a does not have a client manifest registration triple"
 msgstr "~a n’a pas de triplet d’enregistrement de manifeste client"
 
-#: src/scm/webid-oidc/errors.scm:1086
+#: src/scm/webid-oidc/errors.scm:1096
 #, scheme-format
 msgid "the client manifest at ~a is advertised for ~a"
 msgstr "le manifeste client ~a est publié pour ~a"
 
-#: src/scm/webid-oidc/errors.scm:1089
+#: src/scm/webid-oidc/errors.scm:1099
 #, scheme-format
 msgid "I could not fetch the client manifest of ~a (because ~a)"
 msgstr "je n’ai pas pu récupérer le manifeste client de ~a (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1092
+#: src/scm/webid-oidc/errors.scm:1102
 #, scheme-format
 msgid "~s is not an authorization code (because ~a)"
 msgstr "~s n’est pas un code d’autorisation (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1095
+#: src/scm/webid-oidc/errors.scm:1105
 #, scheme-format
 msgid "~s is not an authorization code header (because ~a)"
 msgstr "~s n’est pas un en-tête de code d’autorisation (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1098
+#: src/scm/webid-oidc/errors.scm:1108
 #, scheme-format
 msgid "~s is not an authorization code payload (because ~a)"
 msgstr "~s n’est pas un contenu de code d’autorisation (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1101
+#: src/scm/webid-oidc/errors.scm:1111
 #, scheme-format
 msgid "the current time is ~a, and the authorization code expired at ~a"
 msgstr ""
 "la date est actuellement ~a, et le code d’autorisation a expiré à la date ~a"
 
-#: src/scm/webid-oidc/errors.scm:1105
+#: src/scm/webid-oidc/errors.scm:1115
 #, scheme-format
 msgid "I cannot decode ~s as an authorization code (because ~a)"
 msgstr "je n’ai pas pu décoder ~s comme un code d’autorisation (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1108
+#: src/scm/webid-oidc/errors.scm:1118
 #, scheme-format
 msgid "I cannot encode ~s as an authorization code (because ~a)"
 msgstr "je n’ai pas pu encoder ~s comme un code d’autorisation (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1111
+#: src/scm/webid-oidc/errors.scm:1121
 #, scheme-format
 msgid "there is no such refresh token as ~s"
 msgstr "il n’y a pas de jeton de rafraîchissement ~s"
 
-#: src/scm/webid-oidc/errors.scm:1114
+#: src/scm/webid-oidc/errors.scm:1124
 #, scheme-format
 msgid ""
 "the refresh token is bound to a key confirmed as ~s, but it is used with key "
@@ -585,45 +585,45 @@ msgstr ""
 "Le jeton de rafraîchissement est lié à une clé confirmée par ~s, mais il est "
 "utilisé avec la clé ~s"
 
-#: src/scm/webid-oidc/errors.scm:1117
+#: src/scm/webid-oidc/errors.scm:1127
 #, scheme-format
 msgid "I cannot decode ~s as an ID token (because ~a)"
 msgstr "je n’ai pas pu décoder ~s comme jeton d’identité (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1120
+#: src/scm/webid-oidc/errors.scm:1130
 #, scheme-format
 msgid "I cannot encode ~s as an ID token (because ~a)"
 msgstr "je n’ai pas pu encoder ~s comme un jeton d’identité (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1123
+#: src/scm/webid-oidc/errors.scm:1133
 #, scheme-format
 msgid "the grant type ~s is not supported"
 msgstr "le type d’octroi ~s n’est pas supporté "
 
-#: src/scm/webid-oidc/errors.scm:1126
+#: src/scm/webid-oidc/errors.scm:1136
 msgid "there is no authorization code in the request"
 msgstr "il n’y a pas de code d’autorisation dans la requête"
 
-#: src/scm/webid-oidc/errors.scm:1128
+#: src/scm/webid-oidc/errors.scm:1138
 msgid "there is no refresh token in the request"
 msgstr "il n’y a pas de jeton de rafraîchissement dans la requête"
 
-#: src/scm/webid-oidc/errors.scm:1130
+#: src/scm/webid-oidc/errors.scm:1140
 #, scheme-format
 msgid "~s is not an ID token (because ~a)"
 msgstr "~s n’est pas un jeton d’identité (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1133
+#: src/scm/webid-oidc/errors.scm:1143
 #, scheme-format
 msgid "~s is not an ID token header (because ~a)"
 msgstr "~s n’est pas un en-tête de jeton d’identité (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1136
+#: src/scm/webid-oidc/errors.scm:1146
 #, scheme-format
 msgid "~s is not an ID token payload (because ~a)"
 msgstr "~s n’est pas un contenu de jeton d’identité (parce que ~a)"
 
-#: src/scm/webid-oidc/errors.scm:1139
+#: src/scm/webid-oidc/errors.scm:1149
 #, scheme-format
 msgid ""
 "I couldn’t set the locale to ~s as an approximation of the client locale ~s"
@@ -631,66 +631,71 @@ msgstr ""
 "je n’ai pas pu définir la locale à ~s comme approximation de la locale du "
 "client ~s"
 
-#: src/scm/webid-oidc/errors.scm:1144
+#: src/scm/webid-oidc/errors.scm:1152
+#, scheme-format
+msgid "~s does not admit ~s as an identity provider"
+msgstr "~s n’admet pas ~s comme fournisseur d’identité"
+
+#: src/scm/webid-oidc/errors.scm:1157
 msgid "that’s it"
 msgstr "c’est tout"
 
-#: src/scm/webid-oidc/errors.scm:1148
+#: src/scm/webid-oidc/errors.scm:1161
 #, scheme-format
 msgid "~a and ~a"
 msgstr "~a et ~a"
 
-#: src/scm/webid-oidc/errors.scm:1151
+#: src/scm/webid-oidc/errors.scm:1164
 #, scheme-format
 msgid "~a, ~a"
 msgstr "~a, ~a"
 
-#: src/scm/webid-oidc/errors.scm:1155
+#: src/scm/webid-oidc/errors.scm:1168
 #, scheme-format
 msgid "the signature ~a does not match key ~s with payload ~a"
 msgstr "la signature ~a ne correspond pas à la clé ~s avec le contenu ~a"
 
-#: src/scm/webid-oidc/errors.scm:1158
+#: src/scm/webid-oidc/errors.scm:1171
 msgid "there is an undefined variable"
 msgstr "il y a une variable non définie"
 
-#: src/scm/webid-oidc/errors.scm:1160
+#: src/scm/webid-oidc/errors.scm:1173
 #, scheme-format
 msgid "the origin is ~a"
 msgstr "l’origine est ~a"
 
-#: src/scm/webid-oidc/errors.scm:1163
+#: src/scm/webid-oidc/errors.scm:1176
 #, scheme-format
 msgid "a message is attached: ~a"
 msgstr "un message est attaché : ~a"
 
-#: src/scm/webid-oidc/errors.scm:1166
+#: src/scm/webid-oidc/errors.scm:1179
 #, scheme-format
 msgid "the values ~s are problematic"
 msgstr "les valeurs ~s sont problématiques"
 
-#: src/scm/webid-oidc/errors.scm:1169
+#: src/scm/webid-oidc/errors.scm:1182
 msgid "there is a kind and args"
 msgstr "il y a un type et des arguments"
 
-#: src/scm/webid-oidc/errors.scm:1171
+#: src/scm/webid-oidc/errors.scm:1184
 msgid "there is an assertion failure"
 msgstr "il y a un échec d’assertion"
 
-#: src/scm/webid-oidc/errors.scm:1173
+#: src/scm/webid-oidc/errors.scm:1186
 #, scheme-format
 msgid "the program quits with code ~a"
 msgstr "le programme quitte avec le code ~a"
 
-#: src/scm/webid-oidc/errors.scm:1176
+#: src/scm/webid-oidc/errors.scm:1189
 msgid "the program cannot recover from this exception"
 msgstr "le programme ne peut pas récupérer après cette exception"
 
-#: src/scm/webid-oidc/errors.scm:1178
+#: src/scm/webid-oidc/errors.scm:1191
 msgid "there is an error"
 msgstr "il y a une erreur"
 
-#: src/scm/webid-oidc/errors.scm:1180
+#: src/scm/webid-oidc/errors.scm:1193
 #, scheme-format
 msgid "Unhandled exception type ~a."
 msgstr "Type d’exception non pris en charge ~a."
@@ -1082,10 +1087,6 @@ msgstr ""
 "<a href=~s>~a</a> peut maintenant s'identifier en votre nom. Vous devez "
 "toujours ajuster ses permissions."
 
-#, scheme-format
-#~ msgid "~s does not admit ~s as an identity provider"
-#~ msgstr "~s n’admet pas ~s comme fournisseur d’identité"
-
 #, scheme-format
 #~ msgid ""
 #~ "~a is neither an identity provider (because ~a) nor a webid (because ~a)"
diff --git a/po/webid-oidc.pot b/po/webid-oidc.pot
index a50d88b..2aafbac 100644
--- a/po/webid-oidc.pot
+++ b/po/webid-oidc.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: webid-oidc SNAPSHOT\n"
 "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n"
-"POT-Creation-Date: 2021-05-10 22:56+0200\n"
+"POT-Creation-Date: 2021-05-10 22:58+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -122,560 +122,565 @@ msgstr ""
 msgid "Usage: generate-key [NUMBER OF BITS | CURVE]\n"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:829
+#: src/scm/webid-oidc/errors.scm:839
 msgid "that’s how it is"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:834
+#: src/scm/webid-oidc/errors.scm:844
 #, scheme-format
 msgid "the value ~s is not a base64 string (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:837
+#: src/scm/webid-oidc/errors.scm:847
 #, scheme-format
 msgid "the value ~s is not JSON (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:840
+#: src/scm/webid-oidc/errors.scm:850
 #, scheme-format
 msgid "the value ~s is not Turtle (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:843
+#: src/scm/webid-oidc/errors.scm:853
 #, scheme-format
 msgid "the value ~s does not identify an elleptic curve"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:848
+#: src/scm/webid-oidc/errors.scm:858
 #, scheme-format
 msgid "the value ~s does not identify a JWK (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:850
+#: src/scm/webid-oidc/errors.scm:860
 #, scheme-format
 msgid "the value ~s does not identify a JWK"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:855
+#: src/scm/webid-oidc/errors.scm:865
 #, scheme-format
 msgid "the value ~s does not identify a public JWK (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:857
+#: src/scm/webid-oidc/errors.scm:867
 #, scheme-format
 msgid "the value ~s does not identify a public JWK"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:862
+#: src/scm/webid-oidc/errors.scm:872
 #, scheme-format
 msgid "the value ~s does not identify a private JWK (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:864
+#: src/scm/webid-oidc/errors.scm:874
 #, scheme-format
 msgid "the value ~s does not identify a private JWK"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:869
+#: src/scm/webid-oidc/errors.scm:879
 #, scheme-format
 msgid "the value ~s does not identify a JWKS (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:871
+#: src/scm/webid-oidc/errors.scm:881
 #, scheme-format
 msgid "the value ~s does not identify a JWKS"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:874
+#: src/scm/webid-oidc/errors.scm:884
 #, scheme-format
 msgid "the value ~s does not identify a hash algorithm"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:877
+#: src/scm/webid-oidc/errors.scm:887
 #, scheme-format
 msgid "the value ~s is not an alist or misses key ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:880
+#: src/scm/webid-oidc/errors.scm:890
 #, scheme-format
 msgid "the value ~s is not a JWS header (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:883
+#: src/scm/webid-oidc/errors.scm:893
 #, scheme-format
 msgid "the value ~s is not a JWS payload (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:886
+#: src/scm/webid-oidc/errors.scm:896
 #, scheme-format
 msgid "the value ~s is not a JWS (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:889
+#: src/scm/webid-oidc/errors.scm:899
 #, scheme-format
 msgid "the string ~s cannot be split in 3 parts with ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:892
+#: src/scm/webid-oidc/errors.scm:902
 #, scheme-format
 msgid ""
 "all key candidates failed to verify signature ~s with algorithm ~s and "
 "payload ~a (there were ~a: ~s)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:895
+#: src/scm/webid-oidc/errors.scm:905
 #, scheme-format
 msgid "I cannot decode JWS ~a (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:898
+#: src/scm/webid-oidc/errors.scm:908
 #, scheme-format
 msgid "I cannot encode JWS ~a (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:901
+#: src/scm/webid-oidc/errors.scm:911
 #, scheme-format
 msgid ""
 "the server request unexpectedly failed with code ~a and reason phrase ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:906
+#: src/scm/webid-oidc/errors.scm:916
 #, scheme-format
 msgid "the header ~a should not have the value ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:908
+#: src/scm/webid-oidc/errors.scm:918
 #, scheme-format
 msgid "the header ~a should be present"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:911
+#: src/scm/webid-oidc/errors.scm:921
 #, scheme-format
 msgid "the server response wasn't expected: ~s (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:917
+#: src/scm/webid-oidc/errors.scm:927
 #, scheme-format
 msgid "the value ~s is not an OIDC configuration (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:922
+#: src/scm/webid-oidc/errors.scm:932
 #, scheme-format
 msgid "the webid field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:923
+#: src/scm/webid-oidc/errors.scm:933
 msgid "the webid field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:927
+#: src/scm/webid-oidc/errors.scm:937
 #, scheme-format
 msgid "the sub field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:928
+#: src/scm/webid-oidc/errors.scm:938
 msgid "the sub field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:932
+#: src/scm/webid-oidc/errors.scm:942
 #, scheme-format
 msgid "the iss field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:933
+#: src/scm/webid-oidc/errors.scm:943
 msgid "the iss field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:937
+#: src/scm/webid-oidc/errors.scm:947
 #, scheme-format
 msgid "the aud field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:938
+#: src/scm/webid-oidc/errors.scm:948
 msgid "the aud field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:942
+#: src/scm/webid-oidc/errors.scm:952
 #, scheme-format
 msgid "the iat field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:943
+#: src/scm/webid-oidc/errors.scm:953
 msgid "the iat field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:947
+#: src/scm/webid-oidc/errors.scm:957
 #, scheme-format
 msgid "the exp field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:948
+#: src/scm/webid-oidc/errors.scm:958
 msgid "the exp field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:952
+#: src/scm/webid-oidc/errors.scm:962
 #, scheme-format
 msgid "the cnf/jkt field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:953
+#: src/scm/webid-oidc/errors.scm:963
 msgid "the cnf/jkt field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:957
+#: src/scm/webid-oidc/errors.scm:967
 #, scheme-format
 msgid "the client-id field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:958
+#: src/scm/webid-oidc/errors.scm:968
 msgid "the client-id field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:962
+#: src/scm/webid-oidc/errors.scm:972
 #: src/scm/webid-oidc/authorization-page-unsafe.scm:132
 #, scheme-format
 msgid "the redirect_uris field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:963
+#: src/scm/webid-oidc/errors.scm:973
 #: src/scm/webid-oidc/authorization-page-unsafe.scm:133
 msgid "the redirect_uris field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:967
+#: src/scm/webid-oidc/errors.scm:977
 #, scheme-format
 msgid "the typ field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:968
+#: src/scm/webid-oidc/errors.scm:978
 msgid "the typ field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:972
+#: src/scm/webid-oidc/errors.scm:982
 #, scheme-format
 msgid "the jwk field is incorrect: ~s (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:974
+#: src/scm/webid-oidc/errors.scm:984
 msgid "the jwk field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:978
+#: src/scm/webid-oidc/errors.scm:988
 #, scheme-format
 msgid "the jti field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:979
+#: src/scm/webid-oidc/errors.scm:989
 msgid "the jti field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:983
+#: src/scm/webid-oidc/errors.scm:993
 #, scheme-format
 msgid "the nonce field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:984
+#: src/scm/webid-oidc/errors.scm:994
 msgid "the nonce field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:988
+#: src/scm/webid-oidc/errors.scm:998
 #, scheme-format
 msgid "the htm field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:989
+#: src/scm/webid-oidc/errors.scm:999
 msgid "the htm field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:993
+#: src/scm/webid-oidc/errors.scm:1003
 #, scheme-format
 msgid "the htu field is incorrect: ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:994
+#: src/scm/webid-oidc/errors.scm:1004
 msgid "the htu field is missing"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:996
+#: src/scm/webid-oidc/errors.scm:1006
 #, scheme-format
 msgid "~s is not an access token (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:999
+#: src/scm/webid-oidc/errors.scm:1009
 #, scheme-format
 msgid "~s is not an access token header (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1002
+#: src/scm/webid-oidc/errors.scm:1012
 #, scheme-format
 msgid "~s is not an access token payload (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1005
+#: src/scm/webid-oidc/errors.scm:1015
 #, scheme-format
 msgid "~s is not a DPoP proof (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1008
+#: src/scm/webid-oidc/errors.scm:1018
 #, scheme-format
 msgid "~s is not a DPoP proof header (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1011
+#: src/scm/webid-oidc/errors.scm:1021
 #, scheme-format
 msgid "~s is not a DPoP proof payload (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1014
+#: src/scm/webid-oidc/errors.scm:1024
 #, scheme-format
 msgid "I cannot fetch the issuer configuration of ~a (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1021
+#: src/scm/webid-oidc/errors.scm:1031
 #, scheme-format
 msgid "I cannot fetch the JWKS of ~a at ~a (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1032
+#: src/scm/webid-oidc/errors.scm:1042
 #, scheme-format
 msgid "the HTTP method is signed for ~s, but ~s was requested"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1035
+#: src/scm/webid-oidc/errors.scm:1045
 #, scheme-format
 msgid "the HTTP uri is signed for ~a, but ~a was requested"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1038
+#: src/scm/webid-oidc/errors.scm:1048
 #, scheme-format
 msgid "the date is ~a, but the DPoP proof is signed in the future at ~a"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1042
+#: src/scm/webid-oidc/errors.scm:1052
 #, scheme-format
 msgid "the date is ~a, but the DPoP proof was signed too long ago at ~a"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1051
+#: src/scm/webid-oidc/errors.scm:1061
 #, scheme-format
 msgid "the key ~s does not hash to ~a"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1053
+#: src/scm/webid-oidc/errors.scm:1063
 #, scheme-format
 msgid "the key confirmation of ~s failed (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1055
+#: src/scm/webid-oidc/errors.scm:1065
 #, scheme-format
 msgid "the key confirmation of ~s failed"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1057
+#: src/scm/webid-oidc/errors.scm:1067
 #, scheme-format
 msgid "the jti ~s has already been found (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1060
+#: src/scm/webid-oidc/errors.scm:1070
 #, scheme-format
 msgid "I cannot decode ~s as an access token (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1063
+#: src/scm/webid-oidc/errors.scm:1073
 #, scheme-format
 msgid "I cannot encode ~s as an access token (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1066
+#: src/scm/webid-oidc/errors.scm:1076
 #, scheme-format
 msgid "I cannot decode ~s as a DPoP proof (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1069
+#: src/scm/webid-oidc/errors.scm:1079
 #, scheme-format
 msgid "I cannot encode ~s as a DPoP proof (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1072
+#: src/scm/webid-oidc/errors.scm:1082
 #, scheme-format
 msgid "I could not fetch a RDF graph at ~a (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1075
+#: src/scm/webid-oidc/errors.scm:1085
 #, scheme-format
 msgid "~s is not a client manifest (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1078
+#: src/scm/webid-oidc/errors.scm:1088
 #, scheme-format
 msgid "~s does not authorize redirection URI ~a"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1081
+#: src/scm/webid-oidc/errors.scm:1091
 msgid "I cannot serve a public manifest"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1083
+#: src/scm/webid-oidc/errors.scm:1093
 #, scheme-format
 msgid "~a does not have a client manifest registration triple"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1086
+#: src/scm/webid-oidc/errors.scm:1096
 #, scheme-format
 msgid "the client manifest at ~a is advertised for ~a"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1089
+#: src/scm/webid-oidc/errors.scm:1099
 #, scheme-format
 msgid "I could not fetch the client manifest of ~a (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1092
+#: src/scm/webid-oidc/errors.scm:1102
 #, scheme-format
 msgid "~s is not an authorization code (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1095
+#: src/scm/webid-oidc/errors.scm:1105
 #, scheme-format
 msgid "~s is not an authorization code header (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1098
+#: src/scm/webid-oidc/errors.scm:1108
 #, scheme-format
 msgid "~s is not an authorization code payload (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1101
+#: src/scm/webid-oidc/errors.scm:1111
 #, scheme-format
 msgid "the current time is ~a, and the authorization code expired at ~a"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1105
+#: src/scm/webid-oidc/errors.scm:1115
 #, scheme-format
 msgid "I cannot decode ~s as an authorization code (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1108
+#: src/scm/webid-oidc/errors.scm:1118
 #, scheme-format
 msgid "I cannot encode ~s as an authorization code (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1111
+#: src/scm/webid-oidc/errors.scm:1121
 #, scheme-format
 msgid "there is no such refresh token as ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1114
+#: src/scm/webid-oidc/errors.scm:1124
 #, scheme-format
 msgid ""
 "the refresh token is bound to a key confirmed as ~s, but it is used with key "
 "~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1117
+#: src/scm/webid-oidc/errors.scm:1127
 #, scheme-format
 msgid "I cannot decode ~s as an ID token (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1120
+#: src/scm/webid-oidc/errors.scm:1130
 #, scheme-format
 msgid "I cannot encode ~s as an ID token (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1123
+#: src/scm/webid-oidc/errors.scm:1133
 #, scheme-format
 msgid "the grant type ~s is not supported"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1126
+#: src/scm/webid-oidc/errors.scm:1136
 msgid "there is no authorization code in the request"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1128
+#: src/scm/webid-oidc/errors.scm:1138
 msgid "there is no refresh token in the request"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1130
+#: src/scm/webid-oidc/errors.scm:1140
 #, scheme-format
 msgid "~s is not an ID token (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1133
+#: src/scm/webid-oidc/errors.scm:1143
 #, scheme-format
 msgid "~s is not an ID token header (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1136
+#: src/scm/webid-oidc/errors.scm:1146
 #, scheme-format
 msgid "~s is not an ID token payload (because ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1139
+#: src/scm/webid-oidc/errors.scm:1149
 #, scheme-format
 msgid ""
 "I couldn’t set the locale to ~s as an approximation of the client locale ~s"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1144
+#: src/scm/webid-oidc/errors.scm:1152
+#, scheme-format
+msgid "~s does not admit ~s as an identity provider"
+msgstr ""
+
+#: src/scm/webid-oidc/errors.scm:1157
 msgid "that’s it"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1148
+#: src/scm/webid-oidc/errors.scm:1161
 #, scheme-format
 msgid "~a and ~a"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1151
+#: src/scm/webid-oidc/errors.scm:1164
 #, scheme-format
 msgid "~a, ~a"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1155
+#: src/scm/webid-oidc/errors.scm:1168
 #, scheme-format
 msgid "the signature ~a does not match key ~s with payload ~a"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1158
+#: src/scm/webid-oidc/errors.scm:1171
 msgid "there is an undefined variable"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1160
+#: src/scm/webid-oidc/errors.scm:1173
 #, scheme-format
 msgid "the origin is ~a"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1163
+#: src/scm/webid-oidc/errors.scm:1176
 #, scheme-format
 msgid "a message is attached: ~a"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1166
+#: src/scm/webid-oidc/errors.scm:1179
 #, scheme-format
 msgid "the values ~s are problematic"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1169
+#: src/scm/webid-oidc/errors.scm:1182
 msgid "there is a kind and args"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1171
+#: src/scm/webid-oidc/errors.scm:1184
 msgid "there is an assertion failure"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1173
+#: src/scm/webid-oidc/errors.scm:1186
 #, scheme-format
 msgid "the program quits with code ~a"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1176
+#: src/scm/webid-oidc/errors.scm:1189
 msgid "the program cannot recover from this exception"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1178
+#: src/scm/webid-oidc/errors.scm:1191
 msgid "there is an error"
 msgstr ""
 
-#: src/scm/webid-oidc/errors.scm:1180
+#: src/scm/webid-oidc/errors.scm:1193
 #, scheme-format
 msgid "Unhandled exception type ~a."
 msgstr ""
diff --git a/src/scm/webid-oidc/Makefile.am b/src/scm/webid-oidc/Makefile.am
index 6676fe9..42c65b6 100644
--- a/src/scm/webid-oidc/Makefile.am
+++ b/src/scm/webid-oidc/Makefile.am
@@ -18,7 +18,8 @@ dist_webidoidcmod_DATA += \
   %reldir%/authorization-page-unsafe.scm \
   %reldir%/authorization-endpoint.scm \
   %reldir%/token-endpoint.scm \
-  %reldir%/identity-provider.scm
+  %reldir%/identity-provider.scm \
+  %reldir%/provider-confirmation.scm
 
 webidoidcgo_DATA += \
   %reldir%/errors.go \
@@ -40,6 +41,7 @@ webidoidcgo_DATA += \
   %reldir%/authorization-page-unsafe.go \
   %reldir%/authorization-endpoint.go \
   %reldir%/token-endpoint.go \
-  %reldir%/identity-provider.go
+  %reldir%/identity-provider.go \
+  %reldir%/provider-confirmation.go
 
 EXTRA_DIST += %reldir%/ChangeLog
diff --git a/src/scm/webid-oidc/errors.scm b/src/scm/webid-oidc/errors.scm
index 69077b2..45da79a 100644
--- a/src/scm/webid-oidc/errors.scm
+++ b/src/scm/webid-oidc/errors.scm
@@ -818,6 +818,16 @@
   (raise-exception
    ((record-constructor &no-refresh-token))))
 
+(define-public &unconfimed-provider
+  (make-exception-type
+   '&unconfirmed-provider
+   &external-error
+   '(subject provider)))
+
+(define-public (raise-unconfirmed-provider subject provider)
+  (raise-exception
+   ((record-constructor &unconfirmed-provider) subject provider)))
+
 (define*-public (error->str err #:key (max-depth #f))
   (if (record? err)
       (let* ((type (record-type-descriptor err))
@@ -1138,6 +1148,9 @@
           ((&unknown-client-locale)
            (format #f (G_ "I couldn’t set the locale to ~s as an approximation of the client locale ~s")
                    (get 'c-locale) (get 'web-locale)))
+          ((&unconfirmed-provider)
+           (format #f (G_ "~s does not admit ~s as an identity provider")
+                   (get 'subject) (get 'provider)))
           ((&compound-exception)
            (let ((components (get 'components)))
              (if (null? components)
diff --git a/src/scm/webid-oidc/provider-confirmation.scm b/src/scm/webid-oidc/provider-confirmation.scm
new file mode 100644
index 0000000..5e9357c
--- /dev/null
+++ b/src/scm/webid-oidc/provider-confirmation.scm
@@ -0,0 +1,69 @@
+(define-module (webid-oidc provider-confirmation)
+  #:use-module (webid-oidc fetch)
+  #:use-module (web uri)
+  #:use-module (web client)
+  #:use-module (web response)
+  #:use-module (rnrs bytevectors)
+  #:use-module (srfi srfi-19)
+  #:use-module (ice-9 receive)
+  #:use-module (ice-9 optargs)
+  #:use-module (rdf rdf)
+  #:use-module (turtle tordf))
+
+(define (find-confirmations subject graph)
+  (cond ((null? graph) '())
+        ((and (string=? (rdf-triple-predicate (car graph))
+                        "http://www.w3.org/ns/solid/terms#oidcIssuer")
+              (string? (rdf-triple-subject (car graph)))
+              (string=? (rdf-triple-subject (car graph)) subject)
+              (string? (rdf-triple-object (car graph)))
+              (string->uri (rdf-triple-object (car graph)))
+              (eq? (uri-scheme (string->uri (rdf-triple-object (car graph))))
+                   'https))
+         (cons (string->uri (rdf-triple-object (car graph)))
+               (find-confirmations subject (cdr graph))))
+        (else (find-confirmations subject (cdr graph)))))
+
+(define (serve-confirmations expiration-date subject cnf)
+  (let ((resource (format #f "@prefix solid: <http://www.w3.org/ns/solid/terms#> .
+
+<~a> solid:oidcIssuer ~a .
+"
+                          (uri->string subject)
+                          (string-join (map (lambda (uri)
+                                              (format #f "<~a>" (uri->string uri)))
+                                            cnf)
+                                       ", "))))
+    (values (build-response #:headers `((content-type text/turtle)
+                                        (expires . ,expiration-date)))
+            resource)))
+
+(define*-public (get-provider-confirmations subject
+                                            #:key
+                                            (http-get http-get))
+  (unless (equal? (uri-scheme subject) 'https)
+    (set! subject (build-uri 'https
+                             #:userinfo (uri-userinfo subject)
+                             #:host (uri-host subject)
+                             #:port (uri-port subject)
+                             #:path (uri-path subject)
+                             #:query (uri-query subject)
+                             #:fragment (uri-fragment subject))))
+  (let ((graph (fetch subject #:http-get http-get)))
+    (cons (build-uri 'https
+                     #:userinfo (uri-userinfo subject)
+                     #:host (uri-host subject)
+                     #:port (uri-port subject))
+          (find-confirmations (uri->string subject) graph))))
+
+(define*-public (confirm-provider subject issuer
+                                  #:key (http-get http-get))
+  (define (search lst)
+    (if (null? lst)
+        (raise-unconfirmed-provider subject issuer)
+        (or (string=? (car lst) (uri->string issuer))
+            (search (cdr lst)))))
+  (unless (string=? (uri-host subject) (uri-host issuer))
+    (search (get-provider-confirmations
+             subject
+             #:http-get http-get))))
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 947afc8..ba64f00 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -35,7 +35,8 @@ TESTS = %reldir%/load-library.scm \
   %reldir%/authorization-endpoint-get-form.scm \
   %reldir%/authorization-endpoint-submit-form.scm \
   %reldir%/token-endpoint-issue.scm \
-  %reldir%/token-endpoint-refresh.scm
+  %reldir%/token-endpoint-refresh.scm \
+  %reldir%/provider-confirmation.scm
 
 EXTRA_DIST += $(TESTS) %reldir%/ChangeLog
 
diff --git a/tests/provider-confirmation.scm b/tests/provider-confirmation.scm
new file mode 100644
index 0000000..44825e3
--- /dev/null
+++ b/tests/provider-confirmation.scm
@@ -0,0 +1,40 @@
+(use-modules (webid-oidc provider-confirmation)
+             (webid-oidc testing)
+             (web uri)
+             (srfi srfi-19)
+             (web response)
+             (ice-9 optargs)
+             (ice-9 receive))
+
+(with-test-environment
+ "provider-confirmation"
+ (lambda ()
+   (define what-uri-to-expect
+     (string->uri "https://provider-confirmation.scm/id#webid"))
+   (define what-headers-to-expect
+     '((accept (text/turtle))))
+   (define what-to-respond
+     (build-response #:headers '((content-type text/turtle))))
+   (define what-to-respond-body
+     "@prefix solid: <http://www.w3.org/ns/solid/terms#> .
+
+<#webid> solid:oidcIssuer <https://other-provider.provider-confirmation.scm>, <http://unsecure.provider> .
+")
+   (define* (http-get uri #:key (headers '()))
+     (unless (equal? uri what-uri-to-expect)
+       (exit 1))
+     (unless (equal? headers what-headers-to-expect)
+       (exit 2))
+     (values what-to-respond what-to-respond-body))
+   (define cnf (get-provider-confirmations
+                (string->uri "https://provider-confirmation.scm/id#webid")
+                #:http-get http-get))
+   (unless (eq? (length cnf) 2)
+     (format (current-error-port) "~s\n" cnf)
+     (exit 3))
+   (unless (string=? (uri->string (car cnf))
+                     "https://provider-confirmation.scm")
+     (exit 4))
+   (unless (string=? (uri->string (cadr cnf))
+                     "https://other-provider.provider-confirmation.scm")
+     (exit 5))))
-- 
cgit v1.2.3