feat: added AuthzServer metadata according to latest updates of attestation based client auth

docs/en/credential-issuance-endpoint.rst

@@ -80,6 +80,10 @@ the request to the Credential Issuer authorization endpoint MUST use the followi
       - It MUST be set to a value containing the Wallet Attestation JWT Proof of Possession.
       - `OAUTH-ATTESTATION-CLIENT-AUTH`_.
 
+.. note::
+  Clients SHOULD select the algorithms for the Wallet Attestation and its proof of possession according to the Authorization Server metadata fields
+  ``client_attestation_signing_alg_values_supported`` and ``client_attestation_pop_signing_alg_values_supported`` documented in :ref:`credential-issuer-metadata:Metadata for oauth_authorization_server`.
+
 
 The JWT *Request Object* has the following JOSE header parameters:
 

docs/en/credential-issuer-metadata.rst

@@ -45,6 +45,10 @@ The *oauth_authorization_server* metadata MUST contain the following parameters.
     - JSON array containing a list of the supported grant type values. The authorization server MUST support *authorization_code*.
   * - **token_endpoint_auth_methods_supported**
     - JSON array containing a list of supported client authentication methods. The Token Endpoint MUST support *attest_jwt_client_auth* as defined in `OAUTH-ATTESTATION-CLIENT-AUTH`_.
+  * - **client_attestation_signing_alg_values_supported**
+    - JSON array containing the list of JWS "alg" values supported for the Wallet Attestation (the ``oauth-client-attestation+jwt``). Values MUST be chosen from Section :ref:`algorithms:cryptographic algorithms` and MUST NOT include ``none`` nor symmetric (MAC) algorithms.
+  * - **client_attestation_pop_signing_alg_values_supported**
+    - JSON array containing the list of JWS "alg" values supported for the Wallet Attestation Proof-of-Possession (the ``oauth-client-attestation-pop+jwt``). Values MUST be chosen from Section :ref:`algorithms:cryptographic algorithms` and MUST NOT include ``none`` nor symmetric (MAC) algorithms.
   * - **token_endpoint_auth_signing_alg_values_supported**
     - JSON array containing a list of the signing algorithms ("*alg*" values) supported by the token endpoint for the signature on the JWT used to authenticate the client at the Token Endpoint. See :rfc:`8414#section-2`.
   * - **request_object_signing_alg_values_supported**
@@ -54,6 +58,11 @@ The *oauth_authorization_server* metadata MUST contain the following parameters.
   * - **jwks**
     - JSON Web Key Set containing the cryptographic keys for the authorization server. See `OID-FED`_ Section 5.2.1 and `JWK`_.
 
+.. important::
+  If ``token_endpoint_auth_methods_supported`` includes ``attest_jwt_client_auth``, the Authorization Server MUST include both
+  ``client_attestation_signing_alg_values_supported`` and ``client_attestation_pop_signing_alg_values_supported`` in its metadata.
+  Clients SHOULD fetch and parse the Authorization Server metadata to detect support and algorithm requirements for Attestation-Based Client Authentication. When algorithms are incompatible, the client MAY obtain a new client attestation using a supported algorithm.
+
 Metadata for openid_credential_issuer
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

docs/it/credential-issuance-endpoint.rst

@@ -81,6 +81,11 @@ la richiesta all'authorization endpoint del Credential Issuer DEVE utilizzare i
       - `OAUTH-ATTESTATION-CLIENT-AUTH`_.
 
 
+.. note::
+  I client DOVREBBERO selezionare gli algoritmi da utilizzare per la Wallet Attestation e la relativa prova di possesso sulla base dei campi di metadata dell'Authorization Server
+  ``client_attestation_signing_alg_values_supported`` e ``client_attestation_pop_signing_alg_values_supported`` documentati in :ref:`credential-issuer-metadata:Metadata per oauth_authorization_server`.
+
+
 Il JWT *Request Object* ha i seguenti parametri di header JOSE:
 
 .. _table_request_object_claim:

docs/it/credential-issuer-metadata.rst

@@ -47,13 +47,21 @@ I Metadata *oauth_authorization_server* DEVONO contenere i seguenti parametri.
     - Array JSON contenente un elenco dei metodi di *client authentication* supportati. Il *token endpoint* DEVE supportare *attest_jwt_client_auth* come definito in `OAUTH-ATTESTATION-CLIENT-AUTH`_.
   * - **token_endpoint_auth_signing_alg_values_supported**
     - Array JSON contenente un elenco degli algoritmi di firma ("valori *alg*") supportati dal *token endpoint* per la firma sul JWT utilizzato per autenticare il client al *token endpoint*. Vedi :rfc:`8414#section-2`.
+  * - **client_attestation_signing_alg_values_supported**
+    - Array JSON con l’elenco dei valori JWS "alg" supportati per la Wallet Attestation (``oauth-client-attestation+jwt``). I valori DEVONO provenire dalla Sezione :ref:`algorithms:Algoritmi Crittografici` e NON DEVONO includere ``none`` né algoritmi simmetrici (MAC).
+  * - **client_attestation_pop_signing_alg_values_supported**
+    - Array JSON con l’elenco dei valori JWS "alg" supportati per la Proof-of-Possession della Wallet Attestation (``oauth-client-attestation-pop+jwt``). I valori DEVONO provenire dalla Sezione :ref:`algorithms:Algoritmi Crittografici` e NON DEVONO includere ``none`` né algoritmi simmetrici (MAC).
   * - **request_object_signing_alg_values_supported**
     - Array JSON contenente un elenco degli algoritmi di firma ("valori *alg*") supportati per i *Request Objects*. Vedi `[openid-connect-discovery-1_0] <https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata>`_.
   * - **dpop_signing_alg_values_supported**
     - Array JSON contenente un elenco degli algoritmi di firma (valori "*alg*") supportati per i JWT DPoP proof. Vedi :rfc:`9449`.
   * - **jwks**
     - JSON Web Key Set contenente le chiavi crittografiche per '*authorization server*. Vedi `OID-FED`_ Sezione 5.2.1 e `JWK`_.
 
+.. important::
+  Se ``token_endpoint_auth_methods_supported`` include ``attest_jwt_client_auth``, l’Authorization Server DEVE includere entrambi ``client_attestation_signing_alg_values_supported`` e ``client_attestation_pop_signing_alg_values_supported`` nei propri metadati. I client DOVREBBERO recuperare e analizzare i metadati per rilevare supporto e requisiti di algoritmo per l’Attestation-Based Client Authentication e, in caso di incompatibilità, POSSONO ottenere una nuova attestation con un algoritmo supportato.
+
+
 Metadata per openid_credential_issuer
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

examples/ec-eaa.json

@@ -66,6 +66,16 @@
             "token_endpoint_auth_methods_supported": [
                 "attest_jwt_client_auth"
             ],
+            "client_attestation_signing_alg_values_supported": [
+                "ES256",
+                "ES384",
+                "ES512"
+            ],
+            "client_attestation_pop_signing_alg_values_supported": [
+                "ES256",
+                "ES384",
+                "ES512"
+            ],
             "token_endpoint_auth_signing_alg_values_supported": [
                 "ES256",
                 "ES384",