Zicchio
commented
4 months ago "Below is a non-normative example of the decrypted payload of the JWT, before base64url encoding and signing
(emphasis mine)
Unleass I am missing something (which might indeed be the case), the current version of the specifications does not suggest that the Authorization Response is signed.
OIDC4VP allows as an option encrypted but not signed responses see here
and the example in the italian specifications follows the requirement of an unsigned response, as it doesn't have iss, exp, or aud claims.
If the response is indeed signed, in my opinion the specs should furhter stress it and provide an aligned example.
In this process the Wallet Instance sends the Authorization Response to the Relying Party. It would be necessary to clarify the "response " format changing the example set here from "Below is a non-normative example of the decrypted JSON response content" to "Below is a non-normative example of the decrypted payload of the JWT, before base64url encoding and signing"