fix(openid4vci): use credential issuer identifier as proof audience

JorisHeadease · JorisHeadease · commit 6b9902b82eed · 2026-03-16T15:58:47.000+01:00
The proof JWT audience (aud) must be the Credential Issuer Identifier
per v1.0 Section 8.2.1.1, not the Authorization Server issuer. These
differ when the credential issuer delegates to a separate AS.
diff --git a/auth/api/iam/openid4vci.go b/auth/api/iam/openid4vci.go
@@ -137,7 +137,7 @@ func (r Wrapper) RequestOpenid4VCICredentialIssuance(ctx context.Context, reques
 		// OpenID4VCI issuers may use multiple Authorization Servers
 		// We must use the token_endpoint that corresponds to the same Authorization Server used for the authorization_endpoint
 		TokenEndpoint:                   authzServerMetadata.TokenEndpoint,
-		IssuerURL:                       authzServerMetadata.Issuer,
+		IssuerURL:                       credentialIssuerMetadata.CredentialIssuer,
 		IssuerCredentialEndpoint:        credentialIssuerMetadata.CredentialEndpoint,
 		IssuerNonceEndpoint:             credentialIssuerMetadata.NonceEndpoint,
 		IssuerCredentialConfigurationID: credentialConfigID,
