Regression issue : the authorization_server endpoint in the offer is not taken into account anymore

[ThierryThevenet]

That is the first authorization_endpoint to use if it exists

In the following case the authorization_server endpoint is in the offer and the token endpoint is in the authorization server metadata
test with

[hawkbee1]

The offer:
{"credential_issuer":"https://openid-dts-dev-features.dev.adaptivespace.io/issuers/01930812-df79-76d0-889b-3d05cc423889","credential_configuration_ids":["PhotoId-3-with-sd_VC+SD-JWT"],"grants":{"authorization_code":{"issuer_state":"019398bf-9eac-774f-a909-68d8cdab7bdf","authorization_server":"https://authk.dev.adaptivespace.io/realms/pid-issuer-realm"}}}

The url we are launching:
https://authk.dev.adaptivespace.io/realms/pid-issuer-realm/authorize?response_type=code&redirect_uri=https%3A%2F%2Fapp.altme.io%2Fapp%2Fdownload%2Fcallback&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb2RlVmVyaWZpZXIiOiJjbVRiT21RdzZ3SnM4RlpqLUluMkFwQk1zbm9kOXlQQkxaUGdsVmlVZk8wIiwiY3JlZGVudGlhbHMiOlsiUGhvdG9JZC0zLXdpdGgtc2RfVkMrU0QtSldUIl0sImlzc3VlciI6Imh0dHBzOi8vb3BlbmlkLWR0cy1kZXYtZmVhdHVyZXMuZGV2LmFkYXB0aXZlc3BhY2UuaW8vaXNzdWVycy8wMTkzMDgxMi1kZjc5LTc2ZDAtODg5Yi0zZDA1Y2M0MjM4ODkiLCJpc0VCU0kiOmZhbHNlLCJwdWJsaWNLZXlGb3JEUG9wIjoie1wiY3J2XCI6XCJQLTI1NlwiLFwiZFwiOlwicEdSMWxZUFNpeDdLLXNmRGRQV3MybG9JRjJXbGxINDR2ci1SeTVORTBfMFwiLFwia3R5XCI6XCJFQ1wiLFwieFwiOlwia3VLeWpjd3Uyclc0aXdLdk55aUltdTV1cUo1ZWZybzY3dktDaC1CUC1Lc1wiLFwieVwiOlwib1hmMHg5ejhBRURHWVN5d1REUVp5MlBDUFdYU3llaGs5NTA2OXBvY0dWRVwifSIsImNsaWVudF9pZCI6ImRpZDprZXk6ejZNa3JZdFlrR3g3ZlNxWVpBeGNTZThINVhTWENkVXRBSFR3YlVwaGNmV1VRcXJFIiwiaWF0IjoxNzMzNTgzNTIzfQ.fb6RsdcafeOXD6Q2QXVpQMskMwb2KJ72jUtBa1COGEU&nonce=1cf35f74-4ecd-4c41-ae60-4e496b51f2a3&code_challenge=gRD9exFLHttbI5M4VC772huLpGseSjz6AbKswg1C3g4&code_challenge_method=S256&issuer_state=019398bf-9eac-774f-a909-68d8cdab7bdf&wallet_issuer=https%3A%2F%2Fapp.altme.io%2Fwallet_issuer&client_id=did%3Akey%3Az6MkrYtYkGx7fSqYZAxcSe8H5XSXCdUtAHTwbUphcfWUQqrE&scope=openid&authorization_details=%5B%7B%22type%22%3A%22openid_credential%22%2C%22format%22%3A%22vc%2Bsd-jwt%22%2C%22vct%22%3A%22PhotoId-3-with-sd%22%7D%5D

[ThierryThevenet]

The url is not the good one, it is probably a fallback if there is no endpoint found.

the wallet should look for the authorization server metadata on the authorization_server of the offer + "/.well-known/oauth-authorization-server" endpoint as it is defined here https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-ID1.html#name-credential-issuer-metadata-p

[ThierryThevenet]

@hawkbee1
la règle est la suivante :

si l 'url de l'authorization (URL_AS) server est dans la credential offer il faut verifier qu'il est aussi dans la liste des authorization server qui est donnée dans les credential issuer metadata attribut authorization_server.
si c est le cas les metadatas de l'authorization server sont sur URL_AS/.well-known/oauth-authorization-server

si il n'y a pas d'authorization server nommé dans l offer. il faut utiliser l'url de l issuer (URL_ISSUER) pour trouver les metadatas de l authorization server sur URL_ISSUER/.well-known/oauth-authorization-server

Donc en definitive les metadatas de l'authorization server ne sont pas mélangées avec celles de l issuer et ne sont pas sur /.well-known/openid-configuration......sauf pour EBSI V3x

https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-issuer-metadata-p