diff --git a/solid/lib/Controller/ServerController.php b/solid/lib/Controller/ServerController.php
index b4dc255b..7f74b9b5 100644
--- a/solid/lib/Controller/ServerController.php
+++ b/solid/lib/Controller/ServerController.php
@@ -268,14 +268,15 @@ public function authorize() {
 		$server	= new \Pdsinterop\Solid\Auth\Server($this->authServerFactory, $this->authServerConfig, $response);
 
 		$response = $server->respondToAuthorizationRequest($request, $user, $approval);
+/*
 		$response = $this->tokenGenerator->addIdTokenToResponse(
 			$response,
 			$clientId,
 			$this->getProfilePage(),
-			$this->session->get("nonce"),
+			'', // $this->session->get("nonce"),
 			$this->config->getPrivateKey()
 		);
-
+*/
 		return $this->respond($response); // ->addHeader('Access-Control-Allow-Origin', '*');
 	}
 
@@ -323,27 +324,33 @@ public function session() {
 	 */
 	public function token() {
 		$request = \Laminas\Diactoros\ServerRequestFactory::fromGlobals($_SERVER, $_GET, $_POST, $_COOKIE, $_FILES);
-		$grantType = $request->getParsedBody()['grant_type'];
+		$requestBody = $request->getParsedBody();
+		$grantType = isset($requestBody['grant_type']) ? $requestBody['grant_type'] : null;
+		$clientId = isset($requestBody['client_id']) ? $requestBody['client_id'] : null;
 		switch ($grantType) {
 			case "authorization_code":
-				$code = $request->getParsedBody()['code'];
+				$code = $requestBody['code'];
 				// FIXME: not sure if decoding this here is the way to go.
 				// FIXME: because this is a public page, the nonce from the session is not available here.
 				$codeInfo = $this->tokenGenerator->getCodeInfo($code);
 				$userId = $codeInfo['user_id'];
+				if (!$clientId) {
+					$clientId = $codeInfo['client_id'];
+				}
 			break;
 			case "refresh_token":
-				$refreshToken = $request->getParsedBody()['refresh_token'];
+				$refreshToken = $requestBody['refresh_token'];
 				$tokenInfo = $this->tokenGenerator->getCodeInfo($refreshToken); // FIXME: getCodeInfo should be named 'decrypt' or 'getInfo'?
 				$userId = $tokenInfo['user_id'];
+				if (!$clientId) {
+					$clientId = $tokenInfo['client_id'];
+				}
 			break;
 			default:
 				$userId = false;
 			break;
 		}
 
-		$clientId = $request->getParsedBody()['client_id'];
-
 		$httpDpop = $request->getServerParams()['HTTP_DPOP'];
 
 		$response = new \Laminas\Diactoros\Response();
@@ -410,9 +417,7 @@ public function register() {
 			'redirect_uris' => $clientData['redirect_uris'],
 		);
 		$registration = $this->tokenGenerator->respondToRegistration($registration, $this->config->getPrivateKey());
-		return (new JSONResponse($registration));
-//		->addHeader('Access-Control-Allow-Origin', $origin)
-//		->addHeader('Access-Control-Allow-Methods', 'POST');
+		return (new JSONResponse($registration, 201));
 	}
 
 	/**
diff --git a/solid/tests/Unit/Controller/ServerControllerTest.php b/solid/tests/Unit/Controller/ServerControllerTest.php
index 2920b0dd..4c3cf8c2 100644
--- a/solid/tests/Unit/Controller/ServerControllerTest.php
+++ b/solid/tests/Unit/Controller/ServerControllerTest.php
@@ -348,6 +348,7 @@ public function testRegisterWithRedirectUris()
 				'registration_client_uri' => '',
 				'response_types' => ['id_token token'],
 				'token_endpoint_auth_method' => 'client_secret_basic',
+				'client_secret' => '3b5798fddd49e23662ee6fe801085100',
 			],
 			'headers' => [
 				'Cache-Control' => 'no-cache, no-store, must-revalidate',
@@ -369,6 +370,7 @@ public function testToken()
 	{
 		$_POST['client_id'] = self::MOCK_CLIENT_ID;
 		$_POST['code'] = '';
+		$_POST['grant_type'] = 'authorization_code';
 		$_SERVER['HTTP_DPOP'] = 'mock dpop';
 		$_SESSION['nonce'] = 'mock nonce';