Clarify the value of the aud claim in the Key Binding JWT

[charsleysa]

The example in B.4.5 shows that the aud claim should have a value of https://example.com/verifier, however the note says that it should be the same value as the Client Identifier (which would contain the Client Identifier Scheme).

Other examples (such as B.5.2) have the scheme included.

Is this a typo or is the intention to strip the scheme for Key Binding JWTs?

[jogu]

https://example.com/verifier is a valid client identifier, using the Client Identifier Scheme https which is currently defined to mean an OpenID Federation entity id - see the text here:

https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#name-defined-client-identifier-s:~:text=https%3A%20This%20value,example.com.

So yes the client id scheme must be included in the aud claim value. It might make sense to use x509_san_uri in the example instead to make it clearer.

[bc-pi]

It might also make sense to change things such that all client id schemes are treated equally with respect to prefixing. And maybe avoid potential confusion like this.

[selfissued]

I agree with @jogu. The example is valid as is.

[charsleysa]

@jogu thanks for the clarification.

It would also be clearer if the client_id in the example requests matched the values in the example responses.

I see that request examples in B.4.4 and B.5.1 have different values to the response values in B.4.5 and B.5.1 respectively.

[Sakurann]

fair point on B.4.4 and B.4.5 not matching - did PR #332. B.5.1 and B.5.2 already match I think