10.2. Credential Issuer Solution¶
An Issuer, as an Organizational Entity participating in the IT-Wallet ecosystem, MUST provide Technical Solutions (Issuer Solution) that combine software, hardware, services, settings, and configurations to issue Digital Credentials to User Wallet Instances in a secure and trusted manner.
The following diagram depicts the Issuer Solution High Level Architecture.
Fig. 10.9 Credential Issuer Solution High Level Architecture.¶
10.2.1. Credential Issuer Requirements¶
The Digital Credential Issuer Solution MUST:
Register with the Federation Authority to obtain proper authorization for issuing specific credential types.
Implement secure creation and issuance mechanisms that ensure integrity and confidentiality.
Communicate with Authentic Sources through secure and reliable API Services to obtain verified User data.
Authenticate to Wallet Instances during issuance to prove its legitimacy.
Support immediate issuance flow and MAY support deferred issuance for various operational scenarios.
Implement appropriate error handling and User notifications for all processes.
Maintain comprehensive audit trails while respecting privacy regulations.
Issue Digital Credentials that support Selective Disclosure.
Periodically renew its trust with the Federation.
Register the Relying Party Component within the CIEid Digital Identity Federation ecosystem (for PID issuance), and within the IT-Wallet ecosystem (for (Q)EAA issuance, if required).
For PID issuance, authenticate Users with LoA High using national Digital Identity infrastructure.
For (Q)EAA issuance requiring authentication, verify a valid PID from the User's Wallet Instance via OpenID4VP.
Implement proper procedures for the entire Digital Credential lifecycle as detailed in Section Digital Credential Lifecycle.
For the Frontend Component (if implemented):
Authenticate Users with a Level of Assurance (LoA) at least equal to that used to obtain the Digital Credential being issued or managed.
Provide appropriate security measures to protect User data and Digital Credential information.
10.2.2. Component Details¶
10.2.2.1. Frontend Component¶
The Frontend Component, if provided by the Issuer, MUST provide a web-based User interface for Digital Credential management, offering functionality to:
Display and verify issued Digital Credentials and their status.
Manage Digital Credential lifecycle (e.g., revocation).
Initiate issuance through Credential Offers.
Provide User support and documentation.
Issuers MAY provide additional services to the User through the Frontend Component. These additional services MUST NOT conflict with any regulatory or technical requirements defined in this technical specification or in national/European security and privacy regulations.
10.2.2.2. Credential Issuer Component¶
Following the OpenID4VCI specification and the implementation profile in Section Digital Credential Issuance, this component MUST:
Issue Digital Credentials to Wallet Instances.
Process Digital Credential requests.
Obtain User data from Authentic Sources.
Generate properly formatted and signed Digital Credentials in supported formats (SD-JWT-VC, mDoc-CBOR). See Section Digital Credential Data Model for more details.
Implement the Digital Credential issuance protocols and flows.
10.2.2.4. Relying Party Component¶
When User authentication is required, this component MUST authenticate Users:
For PID issuance, via national Digital Identity Providers.
For (Q)EAA issuance, requesting, obtaining and validating PIDs from User Wallet Instances using OpenID4VP in accordance with Section Digital Credential Presentation.
10.2.2.5. API Interface¶
This component MUST establish secure connections with Authentic Sources to:
Retrieve verified User data.
Properly authenticate and authorize connections.
Format data according to Digital Credential schemas.
Provide cryptographic evidence of User authentication when required.
Note
For public Authentic Sources, a Credential Issuer MUST use PDND according to rules in Sections e-Service PDND, Status Update by Authentic Sources, and e-Service PDND Authentic Source Catalog.
10.2.2.6. Credential Lifecycle Management¶
This component MUST handle:
Status management (maintaining and updating validity).
Revocation processes (implementing mechanisms to revoke or suspend Digital Credentials), according to Section Digital Credential Lifecycle.
Renewal workflows (managing Digital Credential renewal processes), according to the mechanisms defined in Section Digital Credential Issuance.
10.2.2.7. Trust & Security Component¶
This component MUST ensure security through:
Key and certificate management.
Audit logging.
Security monitoring and incident response.
Compliance with IT-Wallet Federation security requirements.
10.2.3. Interaction Patterns¶
The Digital Credential Issuer Solution supports these interaction patterns:
User to Frontend: Web-based interactions for Digital Credential management.
Frontend to Credential Issuer: Converts user requests into OpenID4VCI protocol messages.
Wallet Instance to Credential Issuer: Direct protocol-based interactions following the issuance flow.
Relying Party to Identity Providers: Authentication interactions with national eID systems or PID verification.
API Interface to Authentic Sources: Secure API calls to retrieve verified User data.
All interactions must follow the security considerations in Section Digital Credential Issuance, including proper handling of tokens, proofs, and cryptographic materials.
10.2.4. Credential Issuer Entity Configuration¶
The Credential Issuers, as Federation Entity, MUST adhere to the guidelines outlined in Section trust:Configuration of the Federation. Specifically, they MUST provide a well-known endpoint that hosts their Entity Configuration. The Entity Configuration of Credential Issuers MUST contain the parameters defined in the Sections trust:Entity Configuration Leaves and Intermediates and trust:Entity Configurations Common Parameters.
The Credential Issuers MUST provide, at least, the following metadata types:
federation_entity
oauth_authorization_server
openid_credential_issuer
In cases where the (Q)EAA Providers authenticate Users using their Wallet Instance, then the metadata for openid_credential_verifier MUST be provided in addition to the metadata above. In case a national eID scheme is used by the Credential Issuers for the User authentication, they MAY include a metadata for openid_relying_party within their Entity Configuration. The openid_relying_party metadata MUST be compliant with the Technical Specification SPID/CIE-OpenID-Connect-Specifications.
The federation_entity metadata MUST contain the parameters as defined in Section trust:Metadata of federation_entity Leaves.
The openid_credential_verifier metadata MUST contain the parameters as defined in Section Relying Party Entity Configuration.
10.2.4.1. Example of a (Q)EAA Provider Entity Configuration¶
Below is a non-normative example of an Entity Configuration of a (Q)EAA Provider containing a metadata for
federation_entity
oauth_authorization_server
openid_credential_issuer
openid_credential_verifier
{
"iat": 1718207217,
"exp": 1749743216,
"iss": "https://eaa-provider.example.org",
"sub": "https://eaa-provider.example.org",
"authority_hints": [
"https://trust-anchor.example.org"
],
"jwks": {
"keys": [
{
"kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
"kty": "EC",
"crv": "P-256",
"x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
"y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
}
]
},
"metadata": {
"federation_entity": {
"homepage_uri": "https://eaa-provider.example.org/",
"organization_name": "Organization Name",
"contacts": [
"informazioni@example.it",
"protocollo@pec.example.it"
],
"tos_uri": "https://eaa-provider.example.org/public/info_policy.html",
"policy_uri": "https://eaa-provider.example.org/public/privacy_policy.html",
"logo_uri": "https://eaa-provider.example.org/public/logo.svg"
},
"oauth_authorization_server": {
"issuer": "https://eaa-provider.example.org",
"pushed_authorization_request_endpoint": "https://eaa-provider.example.org/as/par",
"authorization_endpoint": "https://eaa-provider.example.org/authorize",
"token_endpoint": "https://eaa-provider.example.org/token",
"client_registration_types_supported": [
"automatic"
],
"code_challenge_methods_supported": [
"S256"
],
"acr_values_supported": [
"https://trust-registry.eid-wallet.example.it/loa/substantial",
"https://trust-registry.eid-wallet.example.it/loa/high"
],
"scopes_supported": [
"EuropeanDisabilityCard",
"mDL"
],
"response_modes_supported": [
"query"
],
"response_types_supported": [
"code"
],
"authorization_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"grant_types_supported": [
"authorization_code"
],
"token_endpoint_auth_methods_supported": [
"attest_jwt_client_auth"
],
"token_endpoint_auth_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"request_object_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"dpop_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"jwks": {
"keys": [
{
"kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
"kty": "EC",
"crv": "P-256",
"x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
"y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
}
]
}
},
"openid_credential_issuer": {
"credential_issuer": "https://eaa-provider.example.org",
"logo_uri": "https://eaa-provider.example.org/public/compact-logo.svg",
"credential_endpoint": "https://eaa-provider.example.org/credential",
"nonce_endpoint": "https://eaa-provider.example.org/nonce-endpoint",
"deferred_credential_endpoint": "https://eaa-provider.example.org/deferred-credential",
"revocation_endpoint": "https://eaa-provider.example.org/revoke",
"status_assertion_endpoint": "https://eaa-provider.example.org/status",
"notification_endpoint": "https://eaa-provider.example.org/notification",
"credential_hash_alg_supported": "sha-256",
"display": [
{
"name": "EAA Provider",
"locale": "it-IT"
},
{
"name": "EAA Provider",
"locale": "en-US"
}
],
"credential_configurations_supported": {
"dc_sd_jwt_EuropeanDisabilityCard": {
"format": "dc+sd-jwt",
"scope": "EuropeanDisabilityCard",
"cryptographic_binding_methods_supported": [
"jwk"
],
"credential_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
]
}
},
"vct": "urn:eudi:EuropeanDisabilityCard:it:1",
"schema_uri": "https://trust-registry.eid-wallet.example.it/.well-known/schemas/sd-jwt/EuropeanDisabilityCard",
"schema_uri#integrity": "sha256-c0d841be52cfc75b8da3295593eced2b9fca8197ee7e340199cd881a7bf61029",
"credential_metadata": {
"display": [
{
"name": "Carta della disabilità europea",
"locale": "it-IT"
},
{
"name": "European Disability Card",
"locale": "en-US"
}
],
"claims": [
{
"path": ["document_number"],
"display": [
{
"name": "Numero Documento",
"locale": "it-IT"
},
{
"name": "Document Number",
"locale": "en-US"
}
]
},
{
"path": ["given_name"],
"display": [
{
"name": "Nome",
"locale": "it-IT"
},
{
"name": "Name",
"locale": "en-US"
}
]
},
{
"path": ["family_name"],
"display": [
{
"name": "Cognome",
"locale": "it-IT"
},
{
"name": "Family Name",
"locale": "en-US"
}
]
},
{
"path": ["birth_date"],
"display": [
{
"name": "Data di Nascita (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Date of Birth (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["personal_administrative_number"],
"display": [
{
"name": "Codice Fiscale",
"locale": "it-IT"
},
{
"name": "Tax Identification Number",
"locale": "en-US"
}
]
},
{
"path": ["expiry_date"],
"display": [
{
"name": "Data di Scadenza (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Expiration Date (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["constant_attendance_allowance"],
"display": [
{
"name": "Diritto accompagnatore",
"locale": "it-IT"
},
{
"name": "Constant attendance allowance",
"locale": "en-US"
}
]
},
{
"path": ["portrait"],
"display": [
{
"name": "Foto codificata in base64",
"locale": "it-IT"
},
{
"name": "Portrait base64 encoded",
"locale": "en-US"
}
]
},
{
"path": ["link_qr_code"],
"display": [
{
"name": "Link QR Code",
"locale": "it-IT"
},
{
"name": "Link QR Code",
"locale": "en-US"
}
]
}
]
}
},
"dc_sd_jwt_mDL": {
"format": "dc+sd-jwt",
"scope": "mDL",
"cryptographic_binding_methods_supported": [
"jwk"
],
"credential_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
]
}
},
"vct": "urn:eudi:mDL:it:1",
"schema_uri": "https://trust-registry.eid-wallet.example.it/.well-known/schemas/sd-jwt/mDL",
"schema_uri#integrity": "sha256-0a03d9ffe11e39fd748585e433a962f223d7d14b0a49068ad52452bd0b021f63",
"credential_metadata": {
"display": [
{
"name": "Patente di guida",
"locale": "it-IT"
},
{
"name": "Mobile Driver's License",
"locale": "en-US"
}
],
"claims": [
{
"path": ["given_name"],
"display": [
{
"name": "Nome",
"locale": "it-IT"
},
{
"name": "First Name",
"locale": "en-US"
}
]
},
{
"path": ["family_name"],
"display": [
{
"name": "Cognome",
"locale": "it-IT"
},
{
"name": "Family Name",
"locale": "en-US"
}
]
},
{
"path": ["birth_date"],
"display": [
{
"name": "Data di nascita (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Date of Birth (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["place_of_birth"],
"display": [
{
"name": "Luogo di Nascita",
"locale": "it-IT"
},
{
"name": "Place of Birth",
"locale": "en-US"
}
]
},
{
"path": ["issue_date"],
"display": [
{
"name": "Data di rilascio (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Issue Date (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["expiry_date"],
"display": [
{
"name": "Data di scadenza (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Expiry Date (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["issuing_country"],
"display": [
{
"name": "Paese di rilascio",
"locale": "it-IT"
},
{
"name": "Issuing Country",
"locale": "en-US"
}
]
},
{
"path": ["issuing_authority"],
"display": [
{
"name": "Autorità di rilascio",
"locale": "it-IT"
},
{
"name": "Issuing Authority",
"locale": "en-US"
}
]
},
{
"path": ["document_number"],
"display": [
{
"name": "Numero di documento",
"locale": "it-IT"
},
{
"name": "Document Number",
"locale": "en-US"
}
]
},
{
"path": ["portrait"],
"display": [
{
"name": "Foto codificata in base64",
"locale": "it-IT"
},
{
"name": "Portrait base64 encoded",
"locale": "en-US"
}
]
},
{
"path": ["driving_privileges"],
"display": [
{
"name": "Elenco delle categorie di abilitazione separate da spazio",
"locale": "it-IT"
},
{
"name": "Driving Privileges separated by space",
"locale": "en-US"
}
]
},
{
"path": ["restrictions_conditions"],
"display": [
{
"name": "Annotazioni/Restrizioni valide per tutte le categorie separate da spazio",
"locale": "it-IT"
},
{
"name": "Restriction/Condition for all driving privileges separated by space ",
"locale": "en-US"
}
]
},
{
"path": ["driving_privileges_details"],
"display": [
{
"name": "Dettagli delle categorie di abilitazione",
"locale": "it-IT"
},
{
"name": "Driving privilege details",
"locale": "en-US"
}
]
}
]
}
},
"mso_mdoc_mDL": {
"format": "mso_mdoc",
"scope": "mDL",
"doctype": "org.iso.18013.5.1.mDL",
"schema_uri": "https://trust-registry.eid-wallet.example.it/.well-known/schemas/mdoc/EuropeanDisabilityCard",
"schema_uri#integrity": "sha256-a3ab8478290565ccb9418c5a53d8a5fbcfb44545c3fa595425da594bf8391511",
"cryptographic_binding_methods_supported": [
"cose_key"
],
"credential_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"credential_metadata": {
"display": [
{
"name": "Patente di guida",
"locale": "it-IT"
},
{
"name": "Mobile Driver's License",
"locale": "en-US"
}
],
"claims": [
{
"path": ["org.iso.18013.5.1", "given_name"],
"display": [
{
"name": "Nome",
"locale": "it-IT"
},
{
"name": "First Name",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "family_name"],
"display": [
{
"name": "Cognome",
"locale": "it-IT"
},
{
"name": "Family Name",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "birth_date"],
"display": [
{
"name": "Data di nascita (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Date of Birth (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "birth_place"],
"display": [
{
"name": "Luogo di Nascita",
"locale": "it-IT"
},
{
"name": "Place of Birth",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "issue_date"],
"display": [
{
"name": "Data di rilascio (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Issue Date (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "expiry_date"],
"display": [
{
"name": "Data di scadenza (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Expiry Date (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "issuing_country"],
"display": [
{
"name": "Paese di rilascio",
"locale": "it-IT"
},
{
"name": "Issuing Country",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "issuing_authority"],
"display": [
{
"name": "Autorità di rilascio",
"locale": "it-IT"
},
{
"name": "Issuing Authority",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "document_number"],
"display": [
{
"name": "Numero di documento",
"locale": "it-IT"
},
{
"name": "Document Number",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "portrait"],
"display": [
{
"name": "Foto codificata in base64",
"locale": "it-IT"
},
{
"name": "Portrait base64 encoded",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "driving_privileges"],
"display": [
{
"name": "Elenco delle categorie di abilitazione e relativi dettagli su restrizioni/condizioni",
"locale": "it-IT"
},
{
"name": "Driving Privileges and related restrictions/conditions details",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "un_distinguishing_sign"],
"display": [
{
"name": "Codice identificativo della Nazione",
"locale": "it-IT"
},
{
"name": "Distinguishing sign of the issuing country",
"locale": "en-US"
}
]
}
]
}
}
},
"jwks": {
"keys": [
{
"kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
"kty": "EC",
"crv": "P-256",
"x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
"y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
}
]
},
"trust_frameworks_supported": [
"it_cie",
"it_wallet",
"eudi_wallet"
],
"evidence_supported": [
"vouch"
]
},
"openid_credential_verifier": {
## see relying party metadata section and endpoints
},
"jwks": {
"keys": [
{
"kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
"kty": "EC",
"crv": "P-256",
"x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
"y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
}
]
}
}
}
}
10.2.5. Credential Issuer Metadata¶
10.2.5.2. Metadata for openid_credential_issuer¶
The openid_credential_issuer metadata MUST contain the following claims.
Claim |
Description |
|---|---|
credential_issuer |
The Credential Issuer identifier. It MUST be a case sensitive URL using HTTPS scheme as defined in OpenID4VCI Sections 12.2.1 and 12.2.4. |
logo_uri |
URL of the entity's logo that will be shown to the User during Wallet Instance interactions. See OID-FED Section 5.2.2. The logo mime type MUST be |
credential_endpoint |
URL of the Credential endpoint. See OpenID4VCI Section 12.2.4. |
nonce_endpoint |
URL of the Nonce Endpoint, as defined in Section 7 of OpenID4VCI. |
revocation_endpoint |
URL of the revocation endpoint. See RFC 8414#section-2. |
deferred_credential_endpoint |
URL of the deferred Credential endpoint, as defined in Section 12.2.4 of OpenID4VCI. |
status_assertion_endpoint |
It MUST be an HTTPs URL indicating the endpoint where the Wallet Instances can request Status Assertions. See Section Digital Credential Lifecycle for more details. (OAUTH-STATUS-ASSERTION Section 11.1.). |
notification_endpoint |
It MUST be an HTTPs URL indicating the notification endpoint. See Section 12.2.4 of [OpenID4VCI]. |
authorization_servers |
OPTIONAL. Array of strings, where each string is an identifier of the OAuth 2.0 Authorization Server (as defined in [RFC 8414]) the Credential Issuer relies on for authorization. If this parameter is omitted, the entity providing the Credential Issuer is also acting as the Authorization Server. |
display |
See OpenID4VCI Section 12.2.4. Array of objects containing display language properties. The parameters that MUST be included are:
|
credential_configurations_supported |
JSON object that outlines the details of the Digital Credentials supported by the Credential Issuer. It includes a list of name/value pairs, where each name uniquely identifies a specific supported Digital Credential. This identifier is utilized to inform the Wallet Instance which Digital Credential can be provided by the Credential Issuer. The associated value within the object MUST contain metadata specific to that Digital Credential, as defined following. See OpenID4VCI Sections 12.2.4 and A.3.2.
|
jwks |
JSON Web Key Set document, passed by value, containing the protocol specific keys for the Credential Issuer. See OID-FED Section 5.2.1 and JWK. |
trust_frameworks_supported |
|
evidence_supported |
JSON array containing all types of identity evidence supported by the Credential Issuer. See OIDC-IDA Section 8. The supported value is |
credential_hash_alg_supported |
The supported algorithm used by the Wallet Instance to hash the Digital Credential for which the Status Assertion is requested. It is RECOMMENDED to use sha-256. (See OAUTH-STATUS-ASSERTION Section 11.1.). |
batch_credential_issuance |
Object containing information about the Credential Issuer's support for issuance of Credentials in a batch at the Credential Endpoint. The presence of this parameter means that the Credential Issuer supports more than one key proof in the
|
10.2.5.3. Credential Issuer Metadata retrieval¶
The Credential Issuer's Metadata can be retrieved using the Credential Issuer Identifier. The JSON document MUST be available through the /.well-known/openid-credential-issuer endpoint as defined in Section 12.2 of OpenID4VCI.
The Accept-Language header in the HTTP GET request can be used to indicate the language(s) preferred. In this case the Credential Issuer can send a subset of the metadata containing internationalized display data for one or all of the requested languages and indicate returned languages using the HTTP Content-Language Header.
Below is a non-normative example.
GET /.well-known/openid-credential-issuer HTTP/1.1
Host: issuer.example.com
Accept: application/json
Accept-Language: it-IT, it;q=0.9
The Credential Issuer MUST respond with HTTP Status Code 200 and return the Credential Issuer Metadata containing the parameters defined in Metadata for openid_credential_issuer within in an unsigned JSON document using the media type application/json.
The authorization_servers entries of the Credential Issuer Metadata can be used to obtain the Authorization Server metadata from the Oauth Authorization Server /.well-known/oauth-authorization-server as defined in Section 3 of RFC 8414. In case of authorization_servers parameter is omitted, the Credential Issuer's identifier can be used to retrieve the Authorization Server metadata.
Below is a non-normative example.
GET /.well-known/oauth-authorization-server HTTP/1.1
Host: oauth-authorization-server.example.com
The Oauth Authorization Server MUST respond with HTTP Status Code 200 and return the Oauth Authorization Server Metadata containing the parameters defined in Metadata for oauth_authorization_server within in a JSON document using the media type application/json.