Wallets must support the pre-auth flow

[leecam]

Today many issuance flows start with the user in an authenticated state either in a website or native app. The issuer then wishes to issue a credential for that authenticated user. Currently this is done using the pre-auth code flow using short lived token.

For this to work we'd need to make the following changes to HAIP:

1. Wallets MUST support both the auth code flow and the pre-auth code flow
2. Issuers may choose to support either the auth code flow or the pre-auth code flow depending on their needs.

[Sakurann]

wg discussion:

• wg understands that this is an important use-case. but there are details to be figured out. objections to support it in cross-device.

[Sakurann]

WG discussion:

• was larger support emerging to re-add pre-auth code while mandating security considerations.
  • concern when some of those security considerations might not apply... companion device might not have a browser. or that it would be hard to write those security considerations in a holistic way.

agreement to do add this once we have dc api with VCI