PushedAuthorizationRequest: AuthorizationDetails: missing locations

[ydanneg]

Hi.

Specification says we should add (conditionally) Location to AuthorizationDetails which is missing now. https://github.com/eu-digital-identity-wallet/eudi-lib-jvm-openid4vci-kt/blob/main/src/main/kotlin/eu/europa/ec/eudi/openid4vci/internal/AuthorizationServerClient.kt#L365

If the Credential Issuer metadata contains an authorization_servers parameter, 
the authorization detail's locations common data field MUST be set to the Credential 
Issuer Identifier value.

ref: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-5.1.1

[babisRoutis]

Ηι @ydanneg

Literally reading the reference you provided, the location must be provided when there is a authorization_servers array.

On the other hand:

• What if there is an authorization_servers array with a single value? In this case, authorization request (simple or PAR) will be send to this server anyway.
• In case there is a Credential Issuer is protected by more than one OAUTH2 server, a credential offer has to explicitly define for which server is applicable (nested inside authorization_code or/and urn:ietf:params:oauth:grant-type:pre-authorized_code grants (see here)

Bottom line, I think that location should be provided in case there are more than one authorizations_servers and in addition the credential offer doesn't explicitly define an authorization_server .

Nevertheless, I will check this again.

[babisRoutis]

Perhaps, an easy way to implement this - leaving aside spec questioning - would be to add to AuthorizationServerClient a private member private val includeLocation: Boolean. Depending on this, the location attribute could be set or not.

The value of includeLocation could be calculated by the factory method that instantiates AuthorizationServerClient found on the companion object of Issuer

[babisRoutis]

My analysis was wrong. Please check PR #201 for the solution provided