[ISSUANCE]: Remove exp claim from Request Object

[fmarino-ipzs]

In the current request object, the exp claim is included. However, considering that the response already contains the request_uri and expires_in parameters, the exp parameter doesn’t add any additional value. Therefore, I propose removing the exp claim from the request object.

[peppelinux]

A signed object SHOULD always include an expiration time. Specifically, a request's expiration time represents the point beyond which the request no longer holds value for the relying party that needs to authenticate a user within a specified timeframe.

expires_in is related to the response.

we use exp in spid cie oidc as well.

There might be cases where the request would not have a expiration (such as static request printed in a qrcode). I would explain this: exp should be there.

[fmarino-ipzs]

In CIE id and SPID we are not using PAR + JAR so exp claim is mandatory. Here we have expires_in which is related to the request uri lifetime which is basically linked one to one to the PAR.

As a side effect we have that the time frame for the usere authentication is under the control of the Issuer which actually authenticates the user.

[peppelinux]

my fault, I was interpret this issue as related to the presentation flow.

[peppelinux]

@fmarino-ipzs I don't see the requirement of exp in the PAR request, according to https://datatracker.ietf.org/doc/html/rfc9126.html

at the same time the current text refers to PAR in relation to the requirement of having the exp, and this is wrong, thereforew must be fixed

since the request must be signed I see the best current practice to provide the expiration of the signature of the request object