Update auth_scopes for openid4vp auth.

[masv3971]

No description provided.

[Copilot]

Pull request overview

This PR updates the OpenID4VP authentication configuration model so each acceptable auth scope can declare its own required identity claims, and updates the verifier/issuer flows to extract identity based on the matched auth scope.

Changes:

• Change auth_scopes from a list to a map of scope key → per-scope auth_claims (OpenID4VP).
• Replace DatastoreScope.ExtractIdentityClaims with model.ExtractIdentityClaims(claims, required) that returns an error when required claims are missing/non-string.
• Update validation, tests, example config, and generated configuration docs to match the new structure.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
pkg/model/util_test.go	Updates unit tests for new ExtractIdentityClaims signature and map-based AuthScopes.
pkg/model/data_sources.go	Introduces AuthScopeEntry, changes AuthScopes to a map, and adds ExtractIdentityClaims helper.
pkg/model/config.go	Updates OpenID4VP auth accessor to return map-based AuthScopes.
pkg/model/config_test.go	Adjusts credential source lookup tests for new AuthScopes shape.
pkg/helpers/validate.go	Updates OpenID4VP datastore scope validation for map-based auth_scopes and per-scope claims.
pkg/helpers/validate_test.go	Updates validation tests for new auth_scopes structure and rules.
internal/apigw/apiv1/handlers_verifier.go	Builds DCQL per auth scope using per-scope claims; extracts identity based on matched credential query ID.
internal/apigw/apiv1/handlers_issuer.go	Switches identity extraction to new model.ExtractIdentityClaims(..., dsCred.AuthClaims) with error handling.
docs/CONFIGURATION.md	Regenerates docs to describe auth_scopes as an object with per-entry auth_claims.
developer_tools/scripts/gen_bootstrap/socialsecurity_pda1_test.go	Updates schema validation test paths/expectations (currently introduces a test correctness issue).
config.yaml	Updates example config to new nested auth_scopes structure for OpenID4VP.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

internal/apigw/apiv1/handlers_verifier.go:67

• GetFormatForScope() returns an empty string when the auth scope key has no credential metadata configured (see pkg/model/config.go:1055-1062). Since DCQL CredentialQuery.Format is required, silently emitting an empty format will produce an invalid request object and can be hard to diagnose. Consider failing fast with a clear error when format is empty (and use the looked-up value in the CredentialQuery).

		credentialQueries = append(credentialQueries, openid4vp.CredentialQuery{
			ID:       authScope,
			Format:   c.cfg.GetFormatForScope(authScope),
			Multiple: false,