Potentially improper format for workflow createAuthorizationRequest step property

[kezike]

I noticed that the createAuthorizationRequest property in workflow.steps[STEP_NAME].openId.createAuthorizationRequest found in the workflow creation request and response as well as the workflow retrieval response is specified as a string. I believe that this should be a boolean. Is that correct?

[dlongley]

No, it actually is correct as a string. The value identifies the name of the variable (in variables) that the auto-generated authorization request will be stored in for subsequent use in the exchange. The text should be updated to make this clear.

[kezike]

Ah OK, where the "auto-generated authorization request" is an OID4V* authorization request?

Also, I think that we should update both the description of this property as well as the name of the property itself. Since we have another step-level create* property that is a boolean (createChallenge), it seems inconsistent to use that verb for this property, which is not a boolean.

[dlongley]

Ah OK, where the "auto-generated authorization request" is an OID4* authorization request?

Yeah, that's right.

The createAuthorizationRequest key is nested under openId and is for auto-generating an "OpenID for Verifiable Presentations Authorization Request" from the combination of a VPR (for example, see: https://github.com/digitalbazaar/oid4-client/blob/v4.3.0/lib/oid4vp.js#L300) and other exchange information. Optionally, additional specific OID4VP parameters can be included in the step's openId section so they will be used in the generated authorization request.

We could flush out how to integrate VC API exchanges with OID4VP a bit more in the spec so how to generate a compliant authorization request is more clear. Historically, the OID4VP spec was going through significant flux -- so that we didn't want to write anything down that would just need to be later revised or that would entrench improper implementations. But, it seems that may have settled at this point so we could proceed.

Also, I think that we should update both the description of this property as well as the name of the property itself. Since we have another step-level create* property that is a boolean (createChallenge), it seems inconsistent to use that verb for this property, which is not a boolean.

We could consider doing this, though it will affect existing implementations.

[msporny]

The group discussed this on the 2025-02-25 telecon:

A PR should be raised that explains what the value of the createAuthorizationRequest is supposed to contain (with a concrete example).