No client_id parameter provided during authorization code flow for VCI #377
Description
Hi,
I've tried to test OpenID4VCI Authorization Code Flow using Spehereon Wallet and noticed that for authorization request it does not provide client_id parameter. Since client_id param is mandatory as per OAuth2, I throw / return error on such request.
Sample request entry from access logs:
/authorization?
response_type=code&
state=830c7394fb0af4c5c34854844f9d480a6515a8f677dccada1086a09d7855af54&
authorization_details=[{"type":"openid_credential","locations":["https://idp","https://idp"],"credential_definition":{},"credential_configuration_id":"ResearchAndScholarshipCredentialJwtVcJson"}]&
redirect_uri=openid-credential-offer://com.sphereon.wallet&
code_challenge=xDW7vvey5ebg26Nxo08lTPYNKCLKEvfaOtdn9-uE6SQ&
code_challenge_method=S256&
issuer_state=830c7394fb0...
Sphereon Wallet version is 0.5.3, installed on Android v15.
The issuer is a WIP of OpenID4VCI implementation in SimpleSAMLphp, with Sphereon Wallet used for testing. I've successfully used Sphereon Wallet to test Pre-Authorized Code flow for issuing jwt_vc_json and vc+sd-jwt credentials. Interestingly, I see that Sphereon sends client_id parameter for token requests in Pre-Authorized Code Flow.
Note that I currently don't have any dynamic client registration capabilities implemented, if that is relevant.
Thanks in advance
Marko I.