Profile specific validation

[vafeini]

Currently this library implements (with few exceptions) the full set of features defined in OpenId4VCI 1.0 specification. Currently validation is scoped to the set or requirements and expectations that the specification itself poses.

The feature set of OpenId4VCI specification is further profiled and made more strict from specification like HAIP, the EUDI ARF itself or ETSI 472-3 standard. These profiles pose more strict requirements to Credential Issuers and Wallets reguarding issuance.

Such restrictions are always easy to be implemented as simple configuration options. They need to be somehow wired in the implemtation itself.

The purpose of this issue is to gather those extra validation rules imposed by those profiles and discuss ways to make them available for selection to clients of this library,

HAIP

• Issuers MUST support the authorization code flow. These are the OAuth server's grant types supported (metadata property grant_types_supported)
• Issuers MUST support [RFC7636] with S256 as the code challenge method.
• If issuer advertizes cryptographic bound attesations it MUST provide a nonce endpoint.
• Issuer metadata MUST include a scope for every Credential Configuration it supports.
• Scopes are mandatory to be used in authorization requests.
• PAR MUST be supported by Credential Issuers
• DPoP MUST be supported by Credential Issuers
• ABCΑ is mandatory for PAR and Token endpoints

EUDI over HAIP

• Signed issuer metadata are mandatory
• For key bound attestation cryptographic material MUST be communicated to issuer with key_attestations (WUAs) via
  • jwt proof type using key_attestation
  • attestation proof type

[babisRoutis]

@vafeini

Issuers MUST support the authorization code flow

That's not correct, IMO.
Indeed HAIP mandates Authorize Code Grant, but at the same time allows Pre-Authorized Code Grant.

An Issuer implementing Pre-Authorized code grant doesn't have to support Authorized Code Grant.