[OID4VCI] Add support for issuer_state on credential offer #46261
Description
Description
It is important to be able to correlate an authorization request to a credential offer that was previously made to a given user.
This issuer_state does not apply to pre-auth offers, because the offer => user + credential association had already been made by the Issuer when creating the pre-auth offer.
Grant Type authorization_code:
issuer_state: OPTIONAL. String value created by the Credential Issuer and opaque to the Wallet that is used to bind the subsequent Authorization Request with a context set up during previous process steps. If the Wallet decides to use the Authorization Code Flow and received a value for this parameter, it MUST include it in the subsequent Authorization Request to the Authorization Server as the issuer_state parameter value.
Value Proposition
In a follow up step, we can introduce "issuance policies" on the client scope that models the credential configuration.
vc.policy.credential_offer.required
An authorization request based on scope alone or on authorization_details would fail when for such a credential_configuration when the Wallet fails to provide the correct issuer_state
Related #46262
Goals
- Associate minimal required
issuer_statewith credential offers. - Be able to correlate an authorization request to an existing offer based on that state
Non-Goals
Initially simply use some encoded json. Later, we can migrate the issuer_state to a signed jwt