Using credential_identifier with scopes seems ambiguous

[jogu]

https://github.com/openid/OpenID4VCI/pull/392 added an option for the AS to return credential_identifier when credentials are requested using scopes.

It resulted in text like this:

that seems to say the there's a credential_identifiers in the top level of the token response in this case. And we define one in the IANA considerations.

But we have this text:

REQUIRED when an Authorization Details of type openid_credential was returned from the Token Response. It MUST NOT be used otherwise.

That only talks about authorization_details.

I think there's two possible interpretations of the current text, if scopes are used and the authorization server wants to return a credential_identifiers:

1. it needs to return anauthorization_details
2. it returns a new credential_identifiers at the top level of the token response

I think "2" was what was intended. If it was, we should fix the text above to allow credential_identifier to be allowed in the credential request, and we should probably add an example token response for this case to make it clear, and change the 'token response' section to clearly define this new top level token response parameter.

If "1" was what was intended, we need to be more explicit that the AS needs to return an authorization_details and remove the IANA registration for a credential_identifiers parameter at the top level of the token endpoint response.