In section 5.1.1 (Using Authorization Details Parameter), the spec states:
If the Credential Issuer metadata contains an authorization_servers parameter, the authorization detail's locations
common data field MUST be set to the Credential Issuer Identifier value.
The locations field is needed for an authorization server to distinguish which credential issuer is being targeted, which is only relevant when one auth server protects multiple credential issuers. However, the normative condition (presence of authorization_servers in the credential issuer metadata) does not imply that deployment. A credential issuer can list multiple auth servers in authorization_servers where each one individually only protects a single issuer, making locations unnecessary for those auth servers.
The non-normative example correctly frames the scenario as "an Authorization Server protects multiple Credential Issuers", but the normative condition does not align with it.
Should the condition be tied to that deployment scenario instead?
In section 5.1.1 (Using Authorization Details Parameter), the spec states:
The locations field is needed for an authorization server to distinguish which credential issuer is being targeted, which is only relevant when one auth server protects multiple credential issuers. However, the normative condition (presence of
authorization_serversin the credential issuer metadata) does not imply that deployment. A credential issuer can list multiple auth servers inauthorization_serverswhere each one individually only protects a single issuer, making locations unnecessary for those auth servers.The non-normative example correctly frames the scenario as "an Authorization Server protects multiple Credential Issuers", but the normative condition does not align with it.
Should the condition be tied to that deployment scenario instead?