[OID4VCI] Review scope vs credential_configuration_id relationship #46489
Description
Description
The spec says ...
scope: OPTIONAL. A JSON string identifying the scope value that this Credential Issuer supports for this particular Credential. The value can be the same across multiple credential_configurations_supported objects. The Authorization Server MUST be able to uniquely identify the Credential Issuer based on the scope value. The Wallet can use this value in the Authorization Request as defined in Section 5.1.2. Scope values in this Credential Issuer metadata MAY duplicate those in the scopes_supported parameter of the Authorization Server. If scope is absent, the only way to request the Credential is using authorization_details [RFC9396] - in this case, the OAuth Authorization Server metadata for one of the Authorization Servers found from the Credential Issuer's Metadata must contain an authorization_details_types_supported that contains openid_credential.
https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-12.2.4
There seems to be a 1:N relationship from scope to credential_configuration_id.
However, in the issuer metadata, we have ...
"credential_configurations_supported": {
"oid4vc_natural_person_jwt": {
"format": "jwt_vc_json",
"scope": "oid4vc_natural_person_jwt",
"credential_definition": {
"type": [
"oid4vc_natural_person"
],
"@context": [
"oid4vc_natural_person"
]
},
},
"oid4vc_natural_person_sd": {
"format": "dc+sd-jwt",
"scope": "oid4vc_natural_person_sd",
"vct": "oid4vc_natural_person",
}
If done properly, it would mean that an AuthorizationRequest with scope=oid4vc_natural_person would give an AccessToken with multiple authorization_details, one for each credential_configuration_id that has oid4vc_natural_person as vc.scope attribute.
Since we treat the unique ClientScope.Name as a synonym for credential_configuration_id that goes into the AuthorizationRequest scope parameter, it is not so obvious how this can work in the context of the OID4VCI credential scope.