Clarify what can go in client_metadata authz request parameter

[jogu]

As per working group consensus agreed on 21st May call:

https://github.com/openid/OpenID4VP/issues/17#issuecomment-2123350290

closes #17

[jogu]

Thanks everyone for this comments - this is ready for re-review! I've applied most suggestions, other than some I've commented that I think we should handle separately if they're needed.

[c2bo]

Linking #251 here: We still have a dedicated section (Section 9) for client_metadata which is currently linked to only in section 5.1 and has less detail than the introduction done here. Should we just remove section 9 then?

on the current changes of the PR: I think this makes it a lot easier to understand 👍

[Sakurann]

I don't think there is a need to remove section 9. that one defines a new parameter and talks about discovery.

[jogu]

I've applied all comments now (other than two about the overlap with federation that I believe aren't in scope nor agreed with WG yet and have responded saying so).

@awoie could you check the new text please and approve if you're happy? It should allow for both the mdoc & jwt mac based signature you/Paul mentioned.