OpenID for Verifiable Credentials Issuance

# OpenID for Verifiable Credentials Issuance ## Authorization Code Flow with eSTS ```plantuml actor User as U box Wallet participant "Wallet" as W end box participant "Issuer\nWeb App" as Iss box AAD participant "Authorization Endpoint" as AE participant "Token Endpoint" as TE participant "Microsoft Graph" as MG end box box Entra Verified ID participant "Credential Issuer" as CI end box hide footbox Iss -> Iss: 1. generate QR code. W -> Iss: 2. scan QR code. W -> CI: 3. obtains Credential Issuer's metadata W-> AE: 4. obtains Authorization Server's metadata group obtaining Access Token\nvalid for the Issuance of a specific Credential W -> AE: 5. Authorization Request\nw/ scope indicating a credential-requested-be-issued note over AE: 6. User logs in using eSTS log in credentials return 7. code W -> TE: 8. Token Request return 9. Access Token valid for the issuance of a certain credential end group Credential Issuance W -> CI: 10. Credential Request w/Access Token and a proof\nthat the user controls the key material that the issued Credential will be bound to. CI -> MG: 11. Access Token (OBO flow) return 12. data about the user CI -> W: 13. Issues Verifiable Credential, bound to a key material presented in step 10 end ``` ## Pre-Authorized Code Flow with eSTS ```plantuml actor User as U box Wallet participant "Wallet" as W end box participant "Issuer\nWeb App" as Iss box AAD participant "Token Endpoint" as TE end box box Entra Verified ID participant "Credential Issuer" as CI end box hide footbox U -> Iss: 1. uploads data (selfie, etc.) Iss -> CI: 2. uploads the data return 3. pre-authorized code Iss -> Iss: 4. generate QR code\nwith pre-authorized code. W -> Iss: 5. scan QR code. W -> CI: 6. obtains Credential Issuer's metadata W-> TE: 7. obtains Authorization Server's metadata group obtaining Access Token\nvalid for the Issuance of a specific Credential W -> TE: 8. Token Request with pre-authorized code return 9. Access Token valid for the issuance of a certain credential end group Credential Issuance (same steps as authorization code flow) W -> CI: 10. Credential Request w/Access Token and a proof\nthat the user controls the key material that the issued Credential will be bound to. CI -> W: 11. Issues Verifiable Credential, bound to a key material presented in step 10 end ``` ## Rationale: MSFT had a plan to use eSTS for Authorization code flow and a new AS for pre-authorized code flow, which meant different AS for the same RS/Credential endpoint. This set up complicates the spec. We are exploring a way to use the same AS for both flows. ## Discussion items - scope of an access token - Client authentication