Closed babisRoutis closed 5 months ago
Draft 13 mentions the following:
"If the Token Request contains an authorization_details parameter (as defined by [RFC9396]) of type openid_credential and the Credential Issuer's metadata contains an authorization_servers parameter, the authorization_details object MUST contain the Credential Issuer's identifier in the locations element."
It must be investigated if authorization_details
should also be supported when placing the request to /token endpoint.
I think that we should NOT include authorization_details
when placing a token request.
Here is the reason for this omission
RFC9396 indeed suggests that a token request may included an authorization_details
(reference). This option allows the caller (the wallet in our case) to get an access_token
with reduced authorizations compared to the ones the user authorized.
I see no real use of this feature in the context of OpenId4VCI given that what the user authorizes is driven by the credential offer
We should pass
tx_code
instead ofuser_pin