Clarification on optionality of Scope vs Auhtorization Details

[paulbastian]

Section 5.1 Auth Request says "There are two possible ways to request issuance of a specific Credential type in an Authorization Request. One way is to use the authorization_details request parameter, as defined in [RFC9396], with one or more authorization details objects of type openid_credential, per Section 5.1.1. The other is through the use of scopes as defined in Section 5.1.2." Section 5.1.2 on scope says "In addition to a mechanism defined in Section 5.1, Credential Issuers MAY support requesting authorization to issue a Credential using the OAuth 2.0 scope parameter."

There is no equivalent phrase in Section 5.1.1 authorization_details, instead "The request parameter authorization_details defined in Section 2 of [RFC9396] MUST be used to convey the details about the Credentials the Wallet wants to obtain."

While this last MUST is probably only refering to the parameter named "authorization_details" from RFC9396, it is less clear that authorization_details is also optional

[awoie]

I think that scope and authorization_details are equivalent options and I agree this should be clarified.

[Sakurann]

+1 we need to clarify the spec does not intend to prioritize one option over the other (at least right now). I think @paulbastian, if you do a PR, it can move forward.

[babisRoutis]

Have a question: Given that a credential offer contains one or more credential_configuration_id(s), it could be the case that for some configurations there is a scope whereas for others the scope is absent (implying that authorization_details should be used).

Is it possible to assemble an authorization request (for multiple credential_configuration_id(s)) having both scope (for the credentials that support it) and authorization_details, or are those two options mutually exclusive?