Make Issuer metadata normative

[paulbastian]

As I stated in the WG Call, I believe that credential_configuration_id is the better choice. In general, I have trouble understanding how OpenID4VCI works well without metadata, as the Wallet needs to known:

• the credential endpoint
• supported proof types
• supported credentials and formats
• display data for the issuer and the credential

Therefore I believe in productive environment it will be very common that the Issuer has the ability to host metadata.

Originally posted by @paulbastian in https://github.com/openid/OpenID4VCI/pull/219#pullrequestreview-1833193401

As stated in #219 I believe that Credential Issuer metadata should be mandatory, it just doesn't make sense to me with the current specification otherwise.

[jogu]

As mentioned in https://github.com/openid/OpenID4VCI/pull/219#issuecomment-1902864880 I think there are two separate but related questions:

1. Are credential issuers required to have metadata?
2. Does credential issuer metadata need to list all the credentials the issuer supports?

People were reluctant to agree to '2', and there's precdent for this in OAuth, e.g. in https://datatracker.ietf.org/doc/html/rfc8414#section-2 the AS isn't required to list every supported scope in scopes_supported.)

[Sakurann]

OAuth being framework, I am hesitant to require all issuers to have metadata. I think think discussion in issue #82 made it clear that some implementers want to have out of band discovery of the issuer metadata, and I don't see any reason why we should prohibit that.