Bug: Issuer config url generation is incorrect

[cykoder]

As per the spec:

Credential Issuers publishing metadata MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-credential-issuer to the Credential Issuer Identifier. If the Credential Issuer value contains a path component, any terminating / MUST be removed before appending /.well-known/openid-credential-issuer.

https://github.com/digitalbazaar/oid4-client/blob/main/lib/OID4Client.js#L241

      const issuerConfigUrl =
        `${parsedIssuer.origin}/.well-known/openid-credential-issuer` +
        parsedIssuer.pathname;

should be more like

      const issuerConfigUrl =
        `${parsedIssuer.origin}${parsedIssuer.pathname}/.well-known/openid-credential-issuer`;

[dlongley]

+1 we need to figure out what to do here.

This behavior changed in the spec from one draft to another (or perhaps within the same draft, I don't recall). The spec now contradicts how this is usually done in oauth for retrieving other server metadata. It's not clear to me that it won't change back at some point for that reason. We may need to support a flag to control how this is done and pick a default for the current version of this library (that could default to another version in the future if it changes back).

[dlongley]

In v3.6 we implement both approaches to creating the issuer config URLs to get interop with either approach.