Redirect webId: CSS makes oidcIssuer IRI relative, then fails authentication because of wrong baseIRI

[mrkvon]

My webId has a form https://webid.example, and it redirects to a profile document https://pod.example/profile/card. (see https://id.mrkvon.org for real-world example)

CommunitySolidServer seems to have started prettifying turtle recently, which includes replacing absolute URIs with relative URIs, e.g.

<https://webid.example> solid:oidcIssuer <https://pod.example/> .

during an unrelated n3/patch of the profile document (https://pod.example/profile/card) has become

<https://webid.example> solid:oidcIssuer <../> .`

Then this snippet:

access-token-verifier/src/algorithm/retrieveWebidTrustedOidcIssuers.ts

Lines 46 to 49 in b35fbed

	const store = parseRdf(
	await dereferenceWebid(webid),
	Object.assign(new URL(webid), { hash: "" }).href,
	);

uses webid without hash as baseIRI instead of response.url, leading to authentication error like:

[DPoPWebIdExtractor] {Primary} warn: Error verifying WebID via DPoP-bound access token: The access token issuer doesn't match its associated WebID's trusted OIDC issuers.
Actual: https://webid.example/
Expected: https://pod.example/

Expected result:

Authentication should work even for redirect webIds, after CSS started producing turtle with relative IRIs.