[oidc4vci] Consider a simplified openid request option that only uses scopes

Currently the authorization request (https://openid.net/specs/openid-connect-4-verifiable-credential-issuance-1_0.html#name-authorization-request) requires the usage of the claims parameter to convey the elements of the request. Which means the way an OP comes to determine the authorization request is in fact a credential request is by inspect the contents of the claims parameter. I suggest that a scope such as openid_credential be defined (as is the case in OIDC CP https://mattrglobal.github.io/oidc-client-bound-assertions-spec/) and be included as the basis for detecting the nature of the request. Using this scope we can also offer more simply credential request examples that negate the need for the claims request object.

For example by defining this scope, the simplest credential request could be simplified to

GET /authorize?
    response_type=code
    &client_id=s6BhdRkqt3
    &redirect_uri=https%3A%2F%2Fwallet.example.org%2Fcb
    &scope=openid openid_credential
    &state=af0ifjsldkj

Which simply indicates that the client is requesting authorisation to all credentials offered by the the provider.

Given a provider may support multiple credential types the syntax of this scope could be extended to encoded the credential type e.g

GET /authorize?
    response_type=code
    &client_id=s6BhdRkqt3
    &redirect_uri=https%3A%2F%2Fwallet.example.org%2Fcb
    &scope=openid openid_credential:credential_type_1 openid_credential:credential_type_2
    &state=af0ifjsldkj

This request indicates that the client is requesting authorization to two credential types offered by the provider (credential_type_1 and credential_type_2)

‌

Comments (3)