I was reviewing the mediation-oriented API from WebID as a successor to the permission-oriented API. I work for Microsoft in the Identity space. I observed that the mediation-oriented API is limited to Bearer authentication - "the browser will then issue a credentialed GET request." Bearer tokens (like cookies) are increasingly seen as a legacy technology in the Identity space and some Identity services already support successor technologies like DPoP. WebID should avoid constraining auth to such a legacy technology. However, it is a reasonable default.

One option might be service workers. If WebID permitted IDPs to return a "service_worker" entry as part of of their well-known metadata, and then have the WebID code effectively trigger ServiceWorkerContainer.register() for the URI. Then, the service worker could customize the subsequent account list and token fetch request and responses. In this manner, WebID could default to Bearer credentials, but still support customization, as to avoid over-constraining the Identity space and becoming a blocker to future security features. That might allow IDPs who have moved beyond Bearer authentication to e.g. sign over the request, to protect the user from MITM attacks.