This raises another question - in order to allow the web-app’s
server to link the WebId with some internal account, the
web-app/browser must be able to prove it’s WebId to the
server.
Unfortunately the server was never involved in the login process
which is strictly confined to the browser and the web-app’s
javascript code, so the server has no knowledge of that
process.
The web-app cannot simply POST it’s WebId to the server since
anybody else would be able to do the same with any WebId they
wanted.
Neither can the web-app build a signed OpenID Connect token to
POST as the signing key would be available to anyone that can read
the javascript code.
So how does the web-app / browser-javascript-code prove the
WebId it received to the server it is served from? Is there any
token of some sort the web-app can send to the server and allow it
to validate it with the remove WebId identity provider?