Prevent base paths in PUBLIC_URL #196
Description
Originally posted by @nanderstabel in #186 (comment)
I just noticed that in the current OID4VCI working draft (16 <-- not DIIPv4) that they've added the restriction to the /.well-known/openid-credential-issuer that it needs to be appended directly to the domain: https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-wg-draft.html#appendix-J-3.9
Credential Issuers publishing metadata MUST make a JSON document available at the path formed inserting the string /.well-known/openid-credential-issuer into the Credential Issuer Identifier between the host component and the path component, if any.
For example, the metadata for the Credential Issuer Identifier https://issuer.example.com/tenant would be retrieved from https://issuer.example.com/.well-known/openid-credential-issuer/tenant. The metadata for the Credential Issuer Identifier https://tenant.issuer.example.com would be retrieved from https://tenant.issuer.example.com/.well-known/openid-credential-issuer.
This is not directly relevant to us now since it is not part of DIIP yet, but it is another reason to put certain restrictions to the Public URL.. Perhaps we should indeed block base paths altogether and suggest https://tenant.issuer.example.com over https://issuer.example.com/tenant?